See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/374338752

Cyber security project; comprises an Investigation plan, Security plan,

Security policy and a Reflective journal for an incident involved in a
Ransomware Attack

Technical Report · March 2023

DOI: 10.13140/RG.2.2.11392.40961

CITATIONS READS

0 1,111

1 author:

Ashley N. Wicks
AARNET/ Swinburne University of Technology
4 PUBLICATIONS 0 CITATIONS

SEE PROFILE

All content following this page was uploaded by Ashley N. Wicks on 01 October 2023.

The user has requested enhancement of the downloaded file.

 Cyber security project; investigation plan, security plan, security policy and reflective 1
journal involved in a Ransomware Attack

Cyber security project; comprises an Investigation plan,

Security plan, Security policy and a Reflective journal for
an incident involved in a Ransomware Attack

Ashley N. Wicks
Master of Cybersecurity Management
Swinburne University of Technology
Hawthorn VIC Australia · 1300 794 628
Email: [email protected]

Abstract: This thesis converges key components of contemporary cyber security endeavours
into a cohesive framework. First, the investigation plan provides structured insights,
delineating eight pivotal sections supplied with methodological signposts for investigative
teams. Inclusive within this plan are indispensable tools such as track sheets, enhancing the
investigative process.

Second, the security plan segment meticulously outlines nine strategic steps, furnishing a
practical blueprint for businesses to establish enduring security paradigms. Emphasizing
adaptability, these measures empower organizations to reinforce their defences against
dynamic threats, fostering resilience.

Third, the security policy section methodically crafts a comprehensive Access Control Policy,
spanning twelve meticulously designed sections. These sections articulate suggested security
controls and techniques, tailored to pre-empt data compromises and ransomware attacks
effectively. Each section of this policy serves as a barrier against potential security breaches.

Additionally, the thesis incorporates a reflective journal, offering nuanced insights into the
experiential trajectory of the cyber security project. This reflective analysis provides a scholarly
lens through which practical challenges and successes are critically examined, enriching the
academic discourse surrounding real-world cyber security applications.
In essence, this scholarly inquiry amalgamates theoretical frameworks with practical
implementations, enriching the discourse on cyber security. By offering structured
methodologies, strategic frameworks, and reflective insights, this thesis serves as a valuable
academic resource and practical guide for professionals and scholars navigating the intricate
realm of contemporary cyber security initiatives.

Keywords: Investigation Plan, RDP protocol, Cyber Forensics, Cybercrime, Forensic mode,
Information security Plan, Asset Evaluation, GRC, Incident Response, Risk Threshold,
Security Operations, Policy, Security Controls, Remote Access protocol, Privacy requirements,
Cybercrime, Information Policy, NIST SP 800-53A, Reflective journal.

Biographical notes: Ashley is a hybrid security operations engineer/analyst in Australia with

4 years of experience in cyber security and 8 years of experience in Telecommunications and
networking in multiple businesses, NBN, Foxtel, Tandem, BSA. Her research interest includes
a ransomware investigation plan, a security plan to uplift the business security posture as post
incident remediation, a policy creation to reflect the security plan uplift and a reflective journal
 Cyber security project; investigation plan, security plan, security policy and reflective 2
journal involved in a Ransomware Attack

to discuss how the research project was carried out. She was awarded distinctions and high
distinctions for the master’s degree and recruited as a student mentor. She is also the founder
of the business Zybersec PTY LTD.

Executive summary

Toll Holdings Ltd is facing an upward trend in cyber threats and increased ransomware
attacks. Whilst being a logistic organisation Toll suffered not one but two major ransomware
attacks within a single year, 2020. The first ransomware infection in January 2020 was due to
Mailto, and second infection was due to Nefilim. First attack caused six weeks of service
interruption causing a huge profit loss and ‘track and trace’ on deliveries and other services
were unavailable. Major corporate applications such as Active Directory and the corporate
VPN were impacted while other 500 applications and 1000 servers were obstructed. Second
attack shut down critical amount of IT systems where the exposure rooted from Remote
Desktop Services. In both cases Toll Holdings Ltd announced non-payment decision and
implemented the manual process as the incident response strategy.

Reducing overall cyber risk to the Toll Holdings Ltd incorporates and depends on the
risk mitigation framework adopted to identify, protect, detect, respond, and recover.
Major risks prevailing at this stage are Misconfigured security measures (such as RDP
protocol), Lack of security measures in business-critical servers, Lack of incident response
strategies and roll back strategies to restore, Lack of security awareness in employees and third-
party contractors.

There is a clear need for Toll holdings Ltd to be vigilant to avoid potentially larger losses
or reputational damage. The service ‘track and trace’ on deliveries were predominantly used
by the clients where public can be discouraged to continue using the services provided by Toll.
If major applications and servers stay exposed to threats and vulnerabilities attackers could
exploit the IT systems in larger scale, then lead the organisation to larger profit losses,
regulatory fines, or ransomware fines. Cyber incidents involving organizations could therefore
obstruct implementations and processes to improve logistic inclusion, destabilise consumer
trust, and restrict the use of needed logistic resources.

The necessity to establish and sustain a sound cybersecurity posture is paramount for
Toll Holdings Ltd which possess less cyber-mature, yet a global logistics company that
offers freight, warehouse, and distribution services at this stage. This report comprises an
investigation plan, an Information security plan, and an Access control policy. They offer
compendium of easy-to-implement, action-oriented, goal focused parameters with included
specifics regarding establishing and enhancing the organizational security posture as well as
that of the customers and third parties; information regarding cyber incidents, ransomware
attacks, and workforce culture expansion.

Why Prepare and implement the proposed security strategies? Like wilderness survival
experts, threat and vulnerability hunters succeed because of impressive skills, an eagerness to
learn and adapt, and vigilance to potential threats. Adversaries are getting more adept at
sneaking into networks and lurking there without detection for weeks or even months as they
gather information and escalate privileges then they launch their attacks and demand ransom.
However, organisations equipped with successful threat and vulnerability hunters can create a
sustainable security posture through proactive preparation as comprised in this report with
major components; an investigation plan, an Information security plan, and an Access control
policy.
 Cyber security project; investigation plan, security plan, security policy and reflective 3
journal involved in a Ransomware Attack

PROJECT (INVESTIGATION PLAN)

Forensic Investigation Plan, Toll Holdings Ltd, November 2022

Figure 1 Steps for conducting computer forensics investigations.

1. Determine the type of attack occurred.

Types of attacks
1. Military and intelligence attacks
2. Business attacks
3. Financial attacks
4. Terrorist attacks
5. Grudge attacks
6. Thrill attacks (Chapple et al., 2021)

Attackers could have different motives behind their attacks, finding out details about attack
group which is taking responsibility for the attack can aid in recognising the type of attack
occurred. Therefore, the motives can be determined, and countermeasures can be implemented
to prevent future attacks in that type. Depending on the type of attack the parties involved for
the investigations can be varied for an example if it was a business attack purely for business
gains that parties would be involved be different to a military and intelligence attack.
As this is a ransomware attack on a major Australian logistics and transportation company, a
fully owned subsidiary of a Japanese cooperation this could be potentially a business attack, a
financial attack, a grudge attack, or a thrill attack. Obtain the timeline of the attack and all other
available information can be helpful in this scenario.

2. Determine what type(s) of investigation need to be carried out.

Investigations can be categorised into several types

1. Administrative investigations
2. Criminal investigations
3. Civil investigations
4. Regulatory investigations
 Cyber security project; investigation plan, security plan, security policy and reflective 4
journal involved in a Ransomware Attack

Once the type of ransomware attack and motives are determined obtaining the timeline of the
attack can aid determining the type of investigation(s) need to be carried out. As this is a
ransomware attack on a major Australian logistics and transportation company, a fully owned
subsidiary of a Japanese cooperation this investigation must follow the criminal investigation
procedures. Given that the Toll suffered not one but two major attacks of the similar type both
the scenarios need to be evaluated and investigated to fully comprehend the causes then utilize
them to implement countermeasures to prevent any future attacks.

3. Determine the damage so far and what actions need to be taken to prevent further
damage.
3.1. Ransomware incident response plan
• Step 1: Disconnect all affected Network devices and contain/isolate the affected.
• Step 2: Determine the scope of infection.
o External Hard Drives
o USB storage devices of any kind (USB sticks, memory sticks, attached
phones/cameras)
o Shared or mapped drives
o Shared or mapped folders from other computers
o Network attached storage devices of any sort
o Cloud-based storage ( DropBox, Google Drive, OneDrive etc.)
• Step 3: Leverage the DLP tool and SEIM logs to determine if any sensitive data has
been leaked or any credential harvesting has taken place.
• Step 4: Establish the type of Strain of the Ransomware
• Step 5: Determine the responses.
o If data and credentials were stolen and encrypted no backups, determine worth
paying the ransom or not
o If there are backups, determine the steps to roll back to the most recent
backups and restore the services
o Strain and version of the ransomware if possible and attempt decrypting the
files
o Backup the encrypted file for possible future decryption after removing the
ransomware
• Step 6: Lessons learned and implementing countermeasures to detect and prevent
future ransomware attacks

4. Determine the intent and scope of the investigation.

According to the information available at this stage It was reported that the exposure came
through Remote Desktop Services. Therefore, investigations should cover all the aspect of
status of implemented Remote Desktop Protocol (RDP) and set industry best practices and
benchmark for using RDP and how to measure the benchmarks are achieved and maintained
in the future.
Remote Desktop Protocol (RDP) - Internet-exposed Remote Desktop Protocol (RDP) sessions
are another very common means of infecting networks. RDP sessions are used to remotely log
in to Windows computers and allow the user to control that computer as if they were sitting in
front of it. The technology typically uses port 3389 to communicate, and many organizations
allow traffic from the internet through their firewall, so people can remotely access the
computer. Hackers have become increasingly skilled at attacking these exposed computers and
using them to spread malware within a network. RDP is exploited either due to an unpatched
vulnerability or due to password guessing because the victims chose very weak passwords
 Cyber security project; investigation plan, security plan, security policy and reflective 5
journal involved in a Ransomware Attack

and/or did not enable account lockout protections. (Ransomware Simulator: Testing Tool for
Malware | KnowBe4, n.d.)

Scope and the steps for the problem-solving approach

Step1: Identify the damage so far, prevailing risks, and organisations risk appetite
Step2: Mitigate or minimize the current risks
Step3: Analyse and recover the digital evidence
Step4: Investigate the data you recover
Step5: Complete the case report
Step6: Critique the case

Figure 2 Scope and the steps for the problem-solving approach (Cichonski et al., 2012)

The policies, standards, plans, procedures, and guidelines need to be revised or created related
to incident response, interactions with outside parties need to be included accordingly.
Strategies and goals with key performance metrics need to be established and obtain senior
management approval. In a scenario like this the organisation should maintain Guidelines on
communicating with several types of outside parties regarding the evidence collected and need
to collect in order to proceed with the investigation, as in this figure. If there are no procedures
and guidelines available, they need to be established.

Figure 3 Component of Incident Response Team (Cichonski et al., 2012)

 Cyber security project; investigation plan, security plan, security policy and reflective 6
journal involved in a Ransomware Attack

5. Determine the impact of legal and regulatory restrictions.

In a cyberattack in this nature it is paramount to find out if there was any notifiable data
exposure has happened in any region around the globe. Depending on the nature of data
exposure (if any occurred) there would be legal actions to be taken in a certain time frame to
avoid fines. Crisis communications need to be carried out as well in a timely manner utilising
the appropriate media portals.
Initial queries the investigators should investigate;

§ Does the company have current employee policies?

§ If so, how current?
§ Do policies address the problem or incident?
§ Will this incident be prosecuted (criminal or civil)?
§ Obtain HR manager's opinion or viewpoint
§ Obtain legal counsel's opinion or viewpoint (Cichonski et al., 2012)

6. Establishing the facts of the case using forensic techniques and approaches.
Establish the facts using this framework,

• What do we know? – at that point in time

• What don’t we know?
• What are the implications for the organisation?
§ Operational Performance
§ Business continuity
§ Financial
§ Compliance
§ Key stakeholders
• Customers
• Employees
• Third-party vendors
• Regulators & government
• Investors
§ Reputation

7. Gathering and preserving evidence.

Electronic Discovery (eDiscovery) Reference Model facilitates a standard process for
conducting eDiscovery with 9 steps:

1. Information Governance
2. Identification
3. Preservation
4. Collection
5. Processing
6. Review
7. Analysis
8. Production
9. Presentation(Chapple et al., 2021)

Admissible Evidence

There are three basic requirements for any evidence to be accepted by the court of law.
 Cyber security project; investigation plan, security plan, security policy and reflective 7
journal involved in a Ransomware Attack

1. Evidence must be relevant to the determining fact,

2. The fact the evidence seeks to determine must be material to the case,
3. The evidence must be competent (obtained legally) (Chapple et al., 2021)

Types of evidence
1. Real evidence
2. Documentary evidence
3. Testimonial evidence(Chapple et al., 2021)

Table 1 Evidence collection

Source Description

Alerts

Endpoint Detection Response (EDR)

alerts
SIEM alerts
Third-party monitoring services (DLP,
CASB, Web-filtering)
Logs

Network Flow logs

Network device logs
Event logs from operating system and
application
Browser level logs such as cookies
Event logs of DNS (Domain Name
System)
Event logs of email server
Event logs of gateway event
Event logs of Remote access events
Event logs of Web proxy events
Publicly Available Information

Information on RDP exploitation

People

Internal staff
External associations from other
organizations
 Cyber security project; investigation plan, security plan, security policy and reflective 8
journal involved in a Ransomware Attack

8. Resources and costs.

Table 2 Investigation team allocation sheet

Table 3 Investigation resource and budget allocation sheet

Table 4 Cyberattack timeline track-sheet

Table 5 Guidelines on communicating with third parties

 Cyber security project; investigation plan, security plan, security policy and reflective 9
journal involved in a Ransomware Attack

Table 6 Evidence chain of custody tracking form

 Cyber security project; investigation plan, security plan, security policy and reflective 10
journal involved in a Ransomware Attack

Table 7 Forensic Plan Template Checklist

For the basic data gathering and preparation phases of computer forensics incidents, this
forensic plan template check list can be utilized.
Cyber security project; investigation plan, security plan, security policy and reflective 11
journal involved in a Ransomware Attack
 Cyber security project; investigation plan, security plan, security policy and reflective 12
journal involved in a Ransomware Attack

PROJECT (SECURITY PLAN)

Cybersecurity Plan, Toll Holdings Ltd, December 2022

INFORMATION SECURITY PLAN

1. Objective:

To develop and implement various dimensions of transportation cybersecurity capabilities to

preserve and improve the:
§ Organization's plan for success in securing personal information and critical company
data that consists of plans and processes.
§ The transportation security strategy that characteristically encompasses the plan's
scope, classification of all parties and components involved, and how in the event of a
security breach management decide to respond.
§ The security plan that can support a business in minimising, preventing, accepting, or
transferring information risk concomitant with transportation technology, processes
and most importantly people.

2. Purpose:

A distinct and defined security plan focuses and addresses the organisation in protecting the
CIA triad; Confidentiality, Integrity, and Availability of its data while reducing threats.
Information security plan consists of specific guidelines for emergency incident response,
repercussions for noncompliance, complete with individual focused duties and, direct approach
to or references to appropriate resources in transportation sector.
Assisting a business in minimising, preventing, accepting, or transferring information risk
concomitant with technology, processes and people becomes a main objective of a strategic
Information Security plan.

3. Action plans:

Step 1. Identify present-day defensive measures in transportation security

Step 2. establish a skilled security team
Step 3. Evaluate transportation system security threats, risks, and vulnerabilities
Step 4. Conduct a cyber risk analysis and risk assessment
Step 5. Classify and manage organizational data assets
Step 6. Determine transportation security regulatory standards
Step 7. Develop a transportation security compliance plan
Step 8. Create disaster recovery and incident management plans
Step 9. Train and evaluate employees and build a culture of cybersecurity (Team, 2022)

4. Action steps:
Adopting a framework is the initial step, for Toll Holdings LTD NIST(National Institute of
Standards and Technology) framework is suggested as it’s a global organisation.
There are 4 main functions NIST framework can be applied with,
 Cyber security project; investigation plan, security plan, security policy and reflective 13
journal involved in a Ransomware Attack

§ Risk and Compliance(Governance) – Identify what assets needs to be protected

§ Security Architecture and design – How to Protect the business-critical assets
§ Security Administration – Access control
§ Security Operations – Detect, Respond, Recover security threats

Figure 4 NIST Framework (Balbix, 2022)

Figure 5 NIST 800-57 Framework

 Cyber security project; investigation plan, security plan, security policy and reflective 14
journal involved in a Ransomware Attack

4.1 Identify present-day defensive measures in transportation security

To identify the potential areas for improvement for preventing future ransomware attacks apply
NIST and evaluate where the current system security measures sitting in the Security Maturity
Model (SMM) associating company data and those of the clients help the business.
To ensure that the security measures presently developed are implemented and do not fall into
disuse over time, establish techniques such as newsletters, pop up security reminders with real
life scenarios to keep the staff and other stakeholders updated of the significance of maintaining
these safeguards.

Figure 6 Capability Maturity Model against NIST (Balbix, 2022)

4.2 Establish a skilled security team

A security plan should have a team of apt skilled professionals to develop, execute, audit, and
maintain it. The team is responsible of developing and executing the policies, handling ever
changing threats, risks thresholds and, handling the budget.

4.2.1 Security Team Org Chart

Figure 7 Security Org Chart
 Cyber security project; investigation plan, security plan, security policy and reflective 15
journal involved in a Ransomware Attack

4.2.2 Security Operations Team Org Chart

Figure 8 Security Operations Org Chart

4.3 Evaluate transportation system security threats, risks, and vulnerabilities

To understand the scope of the incident: two recent ransomware attacks, look at how sensitive
the current system is to the attacks. What is the nature of company data? Where is it kept, and
how has it been compromised? Search for and highlight faults, such as obsolete software those
reached the end-of-life support and inadequate training and test your system to verify it is
operating properly and not subject to any loopholes or gaps that may be exploited.

4.3.1 Risks and threat charts

This chart can be filled to track the risks and threats the organisation has been exposed to.

Table 8 Specific solutions to address recent and current incidents

Policy implemented/ need to be

Risk Internal/ Risk rating implemented
External

Misconfigured security Internal § Toll holdings should consider

measures (RDP High reducing their attack surface by
protocol) deactivating RDP on PCs where it
isn't mandatory, enabling
Network Level Authentication for
RDP sessions, and utilizing an
RDP Gateway.
§ Imposing stronger password
policy to prevent where attackers
 Cyber security project; investigation plan, security plan, security policy and reflective 16
journal involved in a Ransomware Attack

would locate machines exposed

via RDP and brute-forcing
password.

Lack of security Internal High § Harden the security measures in

measures in business- servers those are very critical to
critical servers the business operations.
§ All endpoints should be equipped
with next-generation endpoint
security.
§ Policies need to be implemented
to address:
§ Evaluate the open ports.
§ Keep the servers OS
(Operating System) version
updated and its application OS
version updated.
§ Harden the measures and
implement least privilege
access principle.

Lack of incident Internal Medium § Being able to roll back to the

response strategies and operational environment from the
roll back strategies to backup by using their Business
restore Disaster Recovery plan.
§ Implementing stringent policies,
standards, and guidelines to setup
incremental backups for business-
critical data and endpoints.

Lack of security Internal High § According to TrendMicro's study,

awareness in employees the vector utilized to distribute the
and third-party virus is either compelling the
contractors victim with a malware dropper or
to download the payload from a
malicious URL.
§ Policies, guidelines, and
processes need to be established
to keep them educated
periodically in the dynamic arena
of new threats.

4.3.2 Vulnerabilities chart

This chart can be filled to track the vulnerabilities the organisation has been exposed to.
 Cyber security project; investigation plan, security plan, security policy and reflective 17
journal involved in a Ransomware Attack

Table 9 To track the vulnerabilities the organisation has been exposed to.

Vulnerability CVE Rating Response/Policies to be

implemented

4.4 Conduct a cyber risk analysis and risk assessment

Investigate the impact of cybersecurity risks and ransomware attacks on the business.
§ Would ransomware attacks halt the company's operations? To what extent?
§ Is damage control required?
§ What about regulatory repercussions?

Determine which aspects are associated to the organisational cybersecurity risks. Take note of
these challenges so those can be developed to an information security plan that meets the
organization's goals and standards. While it is critical to monitor internal and external threats,
third-party suppliers can also be risky hence annual audits need to be carried out to ensure that
established policies and processes are in accordance with the information security plan. Create
a list of criteria that prospective business partners must fulfil prior to cooperate with the
business. This list ought to cover the necessities, such as System and Organization Controls
(SOC) II compliance and should be made into a regular policy requirement.

4.5 Classify and manage organizational data assets

You can't safeguard what you don't know about. (Team, E, 2022)

Identify and categorise organisation’s assets depending on characteristics such as the

information's vulnerability, the mediums of access and the individuals who can access it, and
the storage requirements for that specific type of information and regulatory requirements.
Asset and data classification need to be established, documented and maintained. This
categorization information is used to create rules and processes into policies that take into
account the relative risk and handling needs of different assets.
 Cyber security project; investigation plan, security plan, security policy and reflective 18
journal involved in a Ransomware Attack

Figure 9 Steps to Data Cassification (Buckbee, 2022)

4.6 Determine transportation security regulatory standards

As Toll Holdings LTD is a global organization the requirements, and standards should be met
and compliant according to the relevant regulatory bodies across the globe such as
CCPA(California Consumer Privacy Act), GDPR (General Data Protection Regulation),
Australian Privacy Act 1988 and Securities and Exchange Commission (SEC). Examine all the
regulations those apply to the business and should also consider what the stakeholders expect.

Figure 10 Global Regulations

 Cyber security project; investigation plan, security plan, security policy and reflective 19
journal involved in a Ransomware Attack

4.7 Develop a transportation security compliance plan

Following the determination of regulatory requirements, information security plan should be

both compliant and meets business needs. Regulatory body requirements frequently assist
cover components in an information security strategy that a company may have overlooked
throughout the planning process those paved the path for ransomware attacks. Outline how you
will satisfy regulatory obligations as well as the demands of the organisation and collect all
necessary documentation.

4.8 Create disaster recovery and incident management plans

After organisational requirements and threats being assessed, start building the business
reaction strategy. Create a clear procedural blueprint so that the security team can respond to
cybersecurity incidents calmly and methodically. Include other departments, third parties, and
clients in the strategy so that all relevant parties can contribute to the resolution of the attacks.
This is the most crucial step of developing an information security strategy since all of the
preceding phases build up to this point where the actual plan is created.

4.9 Train and evaluate employees and build a culture of cybersecurity

Employees are a valuable asset in the defence against cyber dangers and most often he first line
of defence also the weakest link of a business security posture, therefore if they are not properly
educated, they may become a threat as well. Hence, once the security strategy is in place, its
crucial to ensure that employees are informed accordingly. It is also vital to conduct continuing
training for employees and people, as well as to test them on a regular basis, to ensure that they
understand what to look for and how to handle any information security problems that arise.

Compliant security posture

These diagrams depict a pictorial illustration of a sustainable security plan those can be used
to evaluate where the organisations security posture against the maturity model and prioritise
the actionable items according to the designed security goals.

Figure 11 Security Compliance Model

 Cyber security project; investigation plan, security plan, security policy and reflective 20
journal involved in a Ransomware Attack

Figure 12 Compliant Security Posture Summary

Figure 13 What good security encompasses

 Cyber security project; investigation plan, security plan, security policy and reflective 21
journal involved in a Ransomware Attack

Figure 14 Board governance and Oversight

 Cyber security project; investigation plan, security plan, security policy and reflective 22
journal involved in a Ransomware Attack

PROJECT (SECURITY POLICY)

Access Control Policy, Toll Holdings Ltd, November 2023

Access Control Policy

POLICY STRUCTURE
Policy Guidelines Technical Procedures
Standards
Access Control Yes Yes Yes
Policy
Policy Owner CISO, Security & Risk Effective
Effective Date 09/01/2023

Framework Purpose and content Role (s) Responsible for

element Approval
Policy Contains the high level CEO, CTO, GC (General
mandatory rules. Councilor)
Guidelines Contain detailed security CISO, Security & Risk
requirements and Effective, Director of
criteria for meeting the policy Security Operations
objectives and strategies.
Technical Contain detailed security Technical executives,
Standards requirements and Technical managers
criteria for meeting the guidelines.
Procedures Contains detail how the security Director of Security
requirements are to be implemented. Operations, Director of IT

Access Control Policy

1. Statement of Policy

Toll Holdings Ltd is committed to meeting the organisation’s business objectives by applying
a consistent risk-based approach towards information security, which establish and maintain
the confidentiality, integrity, and availability of data. Toll Holdings Ltd adopts this Access
Control Policy to protect company information against unauthorised access, use, loss,
compromise, or a breach of privacy. Every Toll Holdings Ltd subject must read and
understand this policy and conduct their activities appropriately.
 Cyber security project; investigation plan, security plan, security policy and reflective 23
journal involved in a Ransomware Attack

2. Purpose

To limit access to Business data and information systems, on-premises networks, critical cloud
networks and facilities to authenticate, authorized and account parties in accordance with the
business objectives and effective risk management.

3. Scope

This policy pertains to all company employees, temporary employees, consultants, subjects
such as contractors, partners, service providers, third parties, affiliates or any other person or
entity with access to Toll Holdings Ltd engineering networks and system resources that
process, store, or transmit confidential data through either private or public networks.

4. Obligations

This policy adheres to the requirements below,

§ The policy MUST be prepared on a business wide basis and linked to business
security risks.
§ The policy is consistent with the requirements of relevant legislation and policies.
§ Endorsement for the policy is obtained from the relevant governance body.
§ Approval for the policy is obtained from the relevant senior executives. (Template
Information Security Policy, 2013)

5. Business Requirements of Access Control

Access Control Standard

The primary method of access controls and access rights management should follow the Role-
Based Access Control (RBAC). Additional permissions could be granted to individual user
accounts as required with approval from the system owner and security control owner.

System owners of Toll Holdings Ltd must identify and classify then maintain the segregation
between roles to ensure the security of their system or data sovereignty. RBAC models and
user provisioning processes must be developed embedded with appropriate segregation of
duties. In accordance with the Data Management Policy all privileged access to critical systems
must use a strong Multi-Factor Authentication (MFA) process.

Toll Holdings Ltd should implement the principle of least privilege and establish the type and
level of access approved to individual users to warrant that users are only granted the minimum
level of access according to the scope of job functions.

A Summary of least privilege principles

§ Access to all systems and networks should be authorized.

§ The minimum access should be granted as required to perform the individual’s job.
§ Approval and monitoring would be implemented to all changes or modifications to
any person or access for systems.
§ All events and amendments should be audited and logged.
 Cyber security project; investigation plan, security plan, security policy and reflective 24
journal involved in a Ransomware Attack

Access to Networks and Network Services

Access to Toll Holdings Ltd networks and network services are governed by the following
security standards:
§ All access to Toll Holdings Ltd must be officially documented.
§ Only authorized employees and/or third parties with a signed contract or statement of
work, with a business need, must be granted access to the Toll Holdings Ltd business
critical networks.
§ Toll Holdings Ltd guests could be granted temporary access to guest networks upon
registering and documented formally.
§ All remote connections to Toll Holdings Ltd systems and networks must use an
approved secure, auditable remote access technologies.

6. Remote Access Standards

All physical electronic devices including laptops, multifunctional printers, other computer
resources and all private, public, or third-party cloud resources that are used to access the
Toll Holdings Ltd cloud based or private networks must conform to the security controls
objectives outlined in the Toll Holdings Ltd Information Security Policy and adhere to the
following standards:

§ Toll Holdings Ltd-managed anti-malware software and up-to-date software

firewall must be deployed, configured, and maintained on all devices with
access to Toll Holdings Ltd networks;
§ All users are prohibited from altering of any nature or disabling any
organizational security controls such as firewalls, antivirus software on systems
used to access Toll Holdings Ltd resources; Use of remote access software
and/or services (e.g., VPN client) is allowed confirmed it is provided by the
company and configured with multi-factor authentication (MFA);
§ Unauthorized remote access technologies must not be used or installed on any
Toll Holdings Ltd system;
§ Users should use an approved VPN/Web security agent when transmitting
confidential information on public Wi-Fi; and
§ Access to sensitive information must be via Toll Holdings Ltd issued electronic
devices.

7. User Access Management

All personnel must have a unique user identifier for system access, and user credentials must
not be shared between multiple personnel. Users that require multiple levels of access (e.g.
administrators) should be granted distinct accounts for standard systems and for administrative
functions wherever feasible. Root, service, and administrator accounts must adopt the Toll
Holdings Ltd -prescribed password management system to share passwords.
 Cyber security project; investigation plan, security plan, security policy and reflective 25
journal involved in a Ransomware Attack

User Registration and Deregistration

§ Only authorized administrators can create new user IDs and must adhere to create a ticket
with authorized parties approval documented. User provisioning requests must include
approval from the data owners, system owners or Toll Holdings Ltd management
authorized to grant system access. Segregation of duties, fraud prevention measures, or
access rights restrictions must be ensured.

§ User IDs must not be re-used. User IDs must be promptly revoked completely when users
exit the organization or cessation of the contract, all deviations of account deregistration
must gain approval from Security control owner. The maximum admissible time period for
access termination is 24 business hours.

Management of Privileged Access

Granting of administrative rights must be strictly controlled, documented, and approval from
both the asset owner and the security control owner should be obtained.

User Access Reviews

To ensure the least privilege access principle is implemented, reviewing the access rights of
the user, service accounts, administrator, any exception-based permission, and any change, of
the job role including transfer, demotion or promotion inside the company should be audited
on bi-annual basis by the data and system owner. Access reviews must be documented, signed
off and retained.

8. Password Policy

Where feasible, passwords should be configured for at least the minimum password
requirements: twelve (12) characters, password complexity enabled, account lockout 10
attempts, lockout reset 30 mins, 24 previous passwords remembered.

Administrative, privileged or root accounts should, where feasible, have password configured
with the following minimum password requirements: eighteen (18) characters with password
complexity enabled.

9. System and Application Access

Information Access Restriction

Restricted access must be applied to all application program functions and information to
authorized users and support personnel in accordance with this policy. The necessary access
controls and data policies must be followed prior to granting all access to application software.
All vendor default passwords and credentials must be changed on all Toll Holdings Ltd
systems, devices, and infrastructure prior to deployment and unnecessary default accounts must
be removed or disabled. This pertains to ALL default passwords within Toll Holdings Ltd
systems and networks.
 Cyber security project; investigation plan, security plan, security policy and reflective 26
journal involved in a Ransomware Attack

Password Management System

All use of password management systems must be approved by the Security control owner for
password managers. All password management systems must maintain full audit logging of
credential use and must allow for the recovery of credentials in the event a user leaves the
organisation. All passwords must be protected while stored and in transmission using
appropriate cryptographic protections through encryption in accordance with the Cryptography
Policy.

Access Monitoring

All access to data, systems and applications must be logged and monitored. The access logs
may be used and/or disclosed to the relevant authorities in the event of a data breach or incident.
Assessment objects, assessment methods, assessment objectives should be followed according
to the NIST SP 800-53A.

§ AC-17 - REMOTE ACCESS

§ AC-17a.[01]
§ AC-17a.[02]
§ AC-17a.[03]
§ AC-17(01) - REMOTE ACCESS | MONITORING AND CONTROL
§ AC-17(01)[01]
§ AC-17(01)[02]
§ CM-04 - IMPACT ANALYSES
§ CM-04[01]
§ CM-04[02]
§ CM-02 - BASELINE CONFIGURATION
§ CM-02_ODP[01]
§ CM-02_ODP[02]
§ MP-07 - MEDIA USE
§ MP-07_ODP[01]
§ MP-07_ODP[02]
§ MP-07_ODP[03]
§ MP-07_ODP[04]
§ CA-03 - INFORMATION EXCHANGE
§ CA-03_ODP[01]
§ CA-03_ODP[02]
§ CA-03_ODP[03] (Force, 2022)

10. Policy Exceptions

Any requests for an exception to this Policy must be submitted to the CISO, Security & Risk
Effective. Such requests must identify the entity/function/individual requesting the exception,
and the nature, timing, and duration of the exception. The request must also include corrective
action plans to rectify the exception and a proposed timeline for completion of the same.

11. Violations & Enforcement

Any identified violations of this policy should be immediately reported or as soon as possible
to the Security team by raising a Jira security incident or posting in the #help_security slack
 Cyber security project; investigation plan, security plan, security policy and reflective 27
journal involved in a Ransomware Attack

channel. Violations of this policy can result in immediate withdrawal or suspension of system
and network privileges and/or disciplinary action in accordance with company procedures up
to and including termination of employment.

Table 10 Violations & Enforcement

Section Number Amendment Author Approved by

Summary
This is the first Security Team, Executive
release of this Audit, Committee
document. Assurance, and
Engineering

12. Document Version Control Amendments in this Release

Table 11 Version Control Amendments

Version Approval Description/Reason Author Approved by

Date

1.0 09/01/2023 Initial release/ initial Security Team, Executive

version approved by Audit, Committee
executive committee Assurance, and
Engineering

Extra Notation

The front page of the policy summarised the abstract and policy structure preceding the 12
main section titles that encompassed a high-level overview of the Access Control Policy. The
policy was developed focusing on implementing the main security controls according to Protect
section in NIST Cybersecurity Framework Version 1.1 to NIST Special Publication 800-53,
Revision 5, Security and Privacy Controls for Information Systems and Organizations
standards specifically NIST SP 800-53A.

REFLECTIVE JOURNAL

(This section was meant to kept in non-academic format)

Week 1:

First hurdle I faced was which case study to choose out of two as my project so, I went through
them carefully bearing the content in the module 1 section. I cautiously considered the benefits
of how identifying, prioritising and selecting cyber projects can streamline project execution,
strategic alignment, optimized resource allocation, continuous improvement, problem
resolution and most importantly risk management. I went through both the case studies with
the knowledge I gathered in this week and looked for a method that suits me the best to create
the investigation plan, security plan and, security policy. I also learnt why project selection is
 Cyber security project; investigation plan, security plan, security policy and reflective 28
journal involved in a Ransomware Attack

so important in order to excel them also that its dependant on skills and resources available in
an organisation.
I learned about the key points to successfully complete the project components as below,

1. Secure executives buy-in.

2. Align with cybersecurity strategy.
3. Define SMART goals.
4. Assign a project manager.
5. Manage your risks.
6. Measure your progress.
7. Evaluate return on investment (Bitchkei, 2018)

I found reflective thinking and the patterns very helpful to re-evaluate how the project progress
from the start to finish, it directed me to re-consider if the direction I was leading was the right
way to implement project components.

Figure 15 Reflection cycle

 Cyber security project; investigation plan, security plan, security policy and reflective 29
journal involved in a Ransomware Attack

Figure 16 Mind Map

Mind map was built and utilized as a guide during the course of the project completion which
also aided as a reference point to circle back and keep my focus in track.

Week 2:

After selecting the case study for the project next step was to research on the topic. Resources
in the module 2 focused on how applied research methods can be used to improve project
success, differentiate between the different types of applied research, and ethical issues in cyber
projects. As I chose the Case study 1: Ransomware incident Toll Holdings Ltd dimensions of
sound applied research components such as validity, reliability, effectiveness, efficiency,
feasibility, relevance and sufficiency needed to be weighed. I also researched on the web for
further information concerning the ransomware attack vectors and those above components
were vetted by verifying the site or the organization who published the information, also cross
checked with few sites to extract the most accurate information. I will continue this approach
in the future projects as well. I will also include interviews, observation, questionnaires in very
innovative way to extract data with most integrity.
 Cyber security project; investigation plan, security plan, security policy and reflective 30
journal involved in a Ransomware Attack

Figure 17 Types of research methods

Research process was started with evaluating existing information those were given in the case
study section and identified that an investigation plan, security plan and security policy need
to be created as goals. I soon started gathering as much as information and dumped them in a
doc file as raw data collection then sorted them. Bench marking, reporting the findings and
results, validating the results to be admissible at the court of law were the super techniques I
learnt in this module those massively impacted creating the investigation plan. Bench marking
can be streamlined with a clear understanding of defining the benchmarks, implementing non-
bias benchmark policy, running the benchmark, any ramifications of the benchmarks if there
is any. Ethical consideration is something that is often neglected and given the least
consideration. From my experience most professionals tend to focus on getting the priorities
done and ethical aspect and often don’t even make it to the priority list. Even though one’s
ethical position is often conditional on their cultural, religious or family beliefs I believe it
brings the project the humane aspect to it. Including the ethical concerns undoubtedly will help
me in the future project to uphold the client’s interest and embed my personal principles into
my own work.

Week 3:

US President Obama declared that the,

“cyber threat is one of the most serious economic and national security challenges we
face as a nation” and that “America’s economic prosperity in the 21st century will
depend on cyber security.” (Spradlin, 2019)

If I were given one hour to save the planet, I would spend 59 minutes defining the
problem and one minute resolving it. (Eistein, as cited by Spradlin 2012)

3rd module facilitated me how to assess what would impact the market if a company doesn’t
protect against ransomware. From those two quotes above I realised problem identification is
the key component to avoid designing a mere idealistic design which drastically deviate from
the end result. Hence contextualizing the problem that needs to be solved, determining the
desired end goal, targeting the stakeholders who benefit from the project in to a systematic, yet
pragmatic project plan was the hurdle I was facing.
 Cyber security project; investigation plan, security plan, security policy and reflective 31
journal involved in a Ransomware Attack

The first action I took was to develop a problem statement. “Toll Holdings Ltd is facing an
upward trend in cyber threats and increased ransomware attacks” Then deep dived into the root
cause of the why/what/when/where/who in relation to a cyber problem. I found this was very
systematic and effective approach for any cyber related projects which I would follow in the
future, if possible, I would interview some system heads of the compromised servers or put
together an easy to fill questionnaire in a simple web page for them to fill up in their own
convenience with a due date in future projects. This will help me collect as much as data relate
to the timeline, actual incident triggers the employees experienced in order to identify the
problem deeper. Guidelines for Writing Research Proposals and Dissertations resource were
beneficial for me to put the investigation plan together.

These were the 5 Root Cause Analysis Tools for More Effective Problem.

Figure 18 Pareto Chart

Figure 19 The 5 Whys

 Cyber security project; investigation plan, security plan, security policy and reflective 32
journal involved in a Ransomware Attack

Figure 20 Fishbone Diagram

Figure 21 Scatter Diagram

Table 12 Failure Mode and Effects Analysis (FMEA)

 Cyber security project; investigation plan, security plan, security policy and reflective 33
journal involved in a Ransomware Attack

Week 4:

“Culture is how organizations ‘do things’.” — Robbie Katanga

(Watkins, 2014)

“An organization [is] a living culture… that can adapt to the reality as fast as possible.”
— Abdi Osman Jama
(Watkins, 2014)

Creating an investigation plan, a security plan and a security policy need to draw attention to
the company culture. From my experience understanding the company culture and how many
countries it operates from helped me identify the driving factors. The company culture, which
can become a central issue also can be rejigged to decrease the future attacks a company would
face. Toll Holdings being owned by a Japanese parent company had some drawbacks operating
from Australia. Japan is known for racial and cultural homogenisation on both micro and macro
scales that makes it rank the lowest Asian country with English fluency. I have a fair suspicion
that the critical incident evaluation, communication, and decision taking needed to happen after
the first ransomware did not take place because of this cultural difference.
If there were adequate communication between the parent and operating countries the second
attack would have been prevented. What I appreciate the most about culture is that it’s a living
and evolving aspect of the company that can be developed and mould according to the company
objectives. Understanding the current company culture and then establishing the benchmarks
for the targeted culture is something I am going to suggest to organisations in my future
projects. I also firmly believe the security culture can be instilled in an employee from the
onboarding process just as an infant need to be equipped with great values from a very young
age. So, I suggest that the security induction and raising awareness campaigns should maintain
the technical wight yet be very interesting and trendy to catch a new employee’s attention then
to hold it until the employee exits. Team building activities are also a proven strategy to build
a sound security community.

Figure 22 Spaghetti and marshmallow tower

 Cyber security project; investigation plan, security plan, security policy and reflective 34
journal involved in a Ransomware Attack

Building marshmallow and spaghetti tower is one of my favourite team building activity. You
can take away remaining spaghetti or marshmallows halfway through to indicate the budget
cuts makes it more relatable. After all employees are the frontiers and the weakest link of a
security posture of any organisation.

Week 5:

A great leader’s unique achievement is a human and social one which stems from his
understanding of his fellow workers. (Prentice, 2004)

Prior to planning an effective incident investigation plan, security plan, and security policy
acquiring a comprehensive knowledge about the organisational leadership is considered as the
most important element of cybersecurity program success. My first thought was how am I
going to approach this and get familiar with the leadership methods running Toll Holdings, and
the week 5 resources gave me insights regarding that. From my experience in the industry, I
have heard executive board identifying the security teams as blockers not as enablers. Hence
receiving the buy in from top management is vital. Prentice’s model of leadership, NICE
(National Initiative for Cybersecurity Education) framework and top-down approach were
discussed in this module. While I was going through an article called “Secrets of a Symphony
Orchestra Conductor” I realised the leadership needs to establish the ground rules, how they
direct the people under them and target to minimise the interference achieving them. Achieving
individual satisfaction is very important for a successful and sound organizational structure.
“Low pressure leadership” might come off as a laid-back approach yet can be manipulative as
a salesperson strategy to exploit a weak point and gain benefits from it. NICE framework by
NIST can be utilised in organisations to maps cyber roles to Knowledge, Skills and Abilities
(KSAs). Most importantly the NICE framework includes a role for Executive cyber leadership
where 50% of the surveyed companies by KPMG survey of 1,276 CEOs of the world’s largest
companies in 2015 had no plan to appoint a cyber executive.

Only 25 percent of C-level executives and board members . . . believe that recruiting
and retaining skilled professionals is a critical cybersecurity issue, ranking it sixth out
of seven main cybersecurity priorities. Most of them still display tendencies to treat
cybersecurity as an isolated 'IT problem. (Spidalieri 2016, p. 4)

I also learnt top-down leadership can be very beneficial as well. According to the quote above
setting the standards from top-down need to happen to get more buy-in from the executives,
operation heads, system heads and other employees for a cyber project. I also believe security
plan implementation strategy could contain some known-to-be-cool moves such as adopting
early adopters, influencers and trend setters within and organisation to spread the information
among the organisation culture.
With the knowledge gathered in this unit to understand the leadership style in future projects I
believe I could inquire the past records of incidents. Analysing how the decisions were made
for past incidents can give you a summary of the leadership style then interviewing few
important executive board members could testify their organizational leadership style. If I was
a leader in the executive board, you will get my attentions when I am informed adequately
about setting metrics and KPIs to measure progress and return-on-investment for the budget
and resource allocations. I will use those techniques in the future to get executive buy-in
 Cyber security project; investigation plan, security plan, security policy and reflective 35
journal involved in a Ransomware Attack

Week 6:

Project requirements were to prepare an array of reports such as the investigation plan, security
plan and security policy. First, I was thrilled to work on a real incident that has happened and
looked forward to developing a policy document. I knew it would give me the opportunity to
close any gap the organisation had that caused two ransomware attacks. I have seen many policy
documents, security plans, read them as an employee, amended them as a security professional,
and put together investigation plans but this unit really equipped me to take my expertise to the
next level. The modules of this unit were packed with plenty of templates and resources where I
could imitate them and make my own product with my personal touch. My hurdle was to write
much more coherent, technically concise and easy to understand reports those were ready for a
broader audience that includes non-technical, non-specialist stakeholders while still holding the
weight for the technical experts. I achieved this by referring to the standards and framework
presented by mainly NIST and other bodies. I was overwhelmed by so many templates and criteria
out there however I managed to consolidate the resources to produce my best report for each
component of the project. Now I have done the groundwork for those specific reports those would
be my curated report writing templates for future projects with various organisations. While
writing the policy report I noticed some policies didn’t
contain the essential section titles also I added additional
section titles to embed more clarity to make it user friendly.
Policies are known to be very dry documents nobody
really want to read but they can be developed in a way that
the reader can gather the key points about tpolicy. Policy
amendments can be announced using short videos.
Effective policy writing section directed me to identify
that some templates I was referring to had gaps or errors
also bit outdated to the ways how current community
grasp information. For all the report writing I widely
followed and adopted NIST templates and
streamlined the report structure to maintain the industry
standards. Developing the executive summary was
a challenge I faced as it needed to cover all the key
information also be precise with a word limit of 500. I
assumed myself as a board member who is somewhat
technically savvy and sectioned the executive summary to
give myself a brief yet adequate information so I could
act as a board member. The executive summary
needs to hit the key spots in reader to spark the interest to
grab their attention to act.

Figure 23 5 steps to write a security report

 36

References

10+ security plan templates in google docs: Word: Pages: PDF. template.net. (n.d.).
Retrieved December 1, 2022, from https://www.template.net/business/plan-
templates/security-plan/

Abdalla, S., Hazem, S., & Hashem, S. (2017). Guideline model for Digital Forensic
Investigation. Association of Digital Forensics, Security and Law (ADFSL). Retrieved
November 21, 2022, from
https://commons.erau.edu/cgi/viewcontent.cgi?article=1029&context=adfsl&httpsredir=1

Australian Cybersecurity Centre. (2022, September). Information security manual (ISM).

Information Security Manual (ISM) | Cyber.gov.au. Retrieved November 18, 2022, from
https://www.cyber.gov.au/acsc/view-all-content/ism

Balbix. (2022, August 26). What is the NIST Cybersecurity Framework? Retrieved
December 1, 2022, from https://www.balbix.com/insights/nist-cybersecurity-framework/

BlueVoyant. (n.d.). Understanding Digital Forensics: Process, techniques, and Tools.

BlueVoyant. Retrieved November 17, 2022, from https://www.bluevoyant.com/knowledge-
center/understanding-digital-forensics-process-techniques-and-tools

Buckbee, M. (2022, June 22). What is data classification? guidelines and process. Varonis.
Retrieved December 11, 2022, from https://www.varonis.com/blog/data-classification

Chapple, M., Stewart, J. M., & Gibson, D. (2021). (Isc)² Cissp® Certified Information
Systems Security Professional Official Study Guide. John Wiley & Sons.

Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012, August 6). Computer Security
Incident Handling Guide. CSRC. Retrieved November 21, 2022, from
https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

Dwyer, N. (2020, March 23). What is the Mailto Ransomware? Computer One Australia.
Retrieved January 18, 2023, from https://computerone.com.au/what-is-the-mailto-
ransomware/

Force, J. T. (2022, January 25). Assessing security and privacy controls in information
systems and organizations. CSRC. Retrieved December 29, 2022, from
https://doi.org/10.6028/NIST.SP.800-53Ar5

Hu, V., & Scarfone, K. (2016, September). NIST Technical Series Publications. NIST.
Retrieved December 28, 2022, from
https://nvlpubs.nist.gov/nistpubs/ir/2012/NIST.IR.7874.pdf

Hu, V., Grance, T., Ferraiolo, D. F., & Kuhn, R. (2016, September). Access control policy
and implementation guides: CSRC. An Access Control Scheme for Big Data Processing.
Retrieved January 3, 2023, from https://csrc.nist.gov/Projects/Access-Control-Policy-and-
Implementation-Guides
 37

Incident response : Crowdstrike. crowdstrike.com. (2022, November 15). Retrieved

November 22, 2022, from https://www.crowdstrike.com/cybersecurity-101/incident-
response/

Incident response sans: The 6 steps in depth. Cynet. (2022, August 22). Retrieved November
26, 2022, from https://www.cynet.com/incident-response/incident-response-sans-the-6-steps-
in-depth/

Integration, E. C. (2018, October 26). Nine steps to creating an information security plan.
AlphaWeek. Retrieved December 3, 2022, from https://alpha-week.com/nine-steps-creating-
information-security-plan

Integration, E. C. (2020, June 11). 9 steps to create information security plan. EzeCastle -
Integration. Retrieved December 8, 2022, from https://www.eci.com/blog/16023-9-steps-to-
create-information-security-plan.html

KnowBe4. (n.d.). Ransomware simulator: Testing tool for malware. KnowBe4. Retrieved
November 6, 2022, from https://www.knowbe4.com/ransomware-simulator

Mane, B. (2021, May 12). Nefilim ransomware. Qualys Security Blog. Retrieved December
7, 2022, from https://blog.qualys.com/vulnerabilities-threat-research/2021/05/12/nefilim-
ransomware

Marcos, S. (n.d.). CSUSM-dspace.calstate.edu. Cyber Forensics Investigation Tactics,

Techniques, and Procedures (TTP). Retrieved November 17, 2022, from https://csusm-
dspace.calstate.edu/bitstream/handle/10211.3/191085/ONeilJaja_Spring2017.pdf

Maurer, T., Taylor, K., & Grossman, T. (2020). Capacity-Building Tool Box for
Cybersecurity and Financial Organizations. Carnegie Endowment for International Peace.
Retrieved January 17, 2023, from
https://ceipfiles.s3.amazonaws.com/pdf/FinCyber/English/FinCyber+EXECUTIVE+SUMM
ARY_final.pdf

Nicholls State University. (2020, February 13). Acceptable encryption policy. Nicholls State
University. Retrieved December 9, 2022, from https://www.nicholls.edu/information-
tech/policyandprocedure/acceptable-encryption-policy/

Nieles, M., Dempsey, K., & Pillitteri, V. (2017, June). An Introduction to Information
Security. NIST Special Publication 800-12. Retrieved December 18, 2022, from
https://doi.org/10.6028/NIST.SP.800-12r1

Norwich University Online . (2017, September 11). 5 steps for conducting Computer
Forensics investigations. Norwich University Online. Retrieved November 27, 2022, from
https://online.norwich.edu/academic-programs/resources/5-steps-for-conducting-computer-
forensics-investigations

Osborne, C. (2020, May 6). Logistics Giant Toll Group hit by ransomware for the second
time in three months. ZDNET. Retrieved January 13, 2023, from
https://www.zdnet.com/article/transport-logistics-firm-toll-group-hit-by-ransomware-for-the-
second-time-in-three-months/
 38

Paananen, H., Lapke, M., & Siponen, M. (2020). State of the art in information security
policy development. Computers & Security, 88, 101608.
https://doi.org/10.1016/j.cose.2019.101608

Purushothaman, Dr. K., & Hashemnejad, Dr. R. (2014, May 24). Cyber Forensic
Investigation Plan. IJOARCS. Retrieved November 19, 2022, from
https://www.academia.edu/3827683/Cyber_Forensic_Investigation_Plan

Reportcyber. ReportCyber | Cyber.gov.au. (n.d.). Retrieved December 7, 2022, from

https://www.cyber.gov.au/acsc/report?utm_idnt=

Security Magazine. (2020, May 8). Toll group suffers ransomware attack again. Security
Magazine RSS. Retrieved December 6, 2022, from
https://www.securitymagazine.com/articles/92334-toll-group-suffers-ransomware-attack-
again

Swanson, M., Hash, J., & Bowen, P. (2006, February). Guide for developing security plans
for Federal Information Systems - NIST. Guide for Developing Security Plans for Federal
Information Systems. Retrieved December 7, 2022, from
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf

Team, A. (2019, September). Encryption policy template final - national cybersecurity

society. Encryption Policy Template. Retrieved January 3, 2023, from
https://nationalcybersecuritysociety.org/wp-content/uploads/2019/10/Encryption-Policy-
Template-FINAL.pdf

Team, C.-A. (2021, March 23). Cybersecurity roadmap: Develop your path to success.
Cybersecurity Automation. Retrieved December 7, 2022, from https://www.cybersecurity-
automation.com/cybersecurity-roadmap-develop-your-path-to-success/

Team, E. (2022, August 5). Information security plan: What is it & how to create it? Bit
Blog. Retrieved December 3, 2022, from https://blog.bit.ai/information-security-plan/

The ACSC Essential eight. Ivanti. (n.d.). Retrieved November 24, 2022, from
https://www.ivanti.com/lp/security/assets/s1/the-acsc-essential-
8?utm_source=google&utm_medium=cpc&utm_campaign=esg-uem-apac-anz-search-
acsc&utm_adgroup=whitepaper-acsc-essential-8&utm_content=responsive-
search&utm_term=cyber+security+incident+response+plan&elqCampaignId=1704&gclid=C
j0KCQiAj4ecBhD3ARIsAM4Q_jFXfFG4iI6PsoKqjmHTRGyuaq5Nq6JN0mX2JI1YGk8F9
Udphl3nvHgaAtANEALw_wcB

The ACSC Essential eight. Ivanti. (n.d.). Retrieved November 24, 2022, from
https://www.ivanti.com/lp/security/assets/s1/the-acsc-essential-
8?utm_source=google&utm_medium=cpc&utm_campaign=esg-uem-apac-anz-search-
acsc&utm_adgroup=whitepaper-acsc-essential-8&utm_content=responsive-
search&utm_term=cyber+security+incident+response+plan&elqCampaignId=1704&gclid=C
j0KCQiAj4ecBhD3ARIsAM4Q_jFXfFG4iI6PsoKqjmHTRGyuaq5Nq6JN0mX2JI1YGk8F9
Udphl3nvHgaAtANEALw_wcB
 39

The National Cybersecurity Society. (2019). Encryption policy template final - national
cybersecurity society. NCSS. Retrieved December 15, 2022, from
https://nationalcybersecuritysociety.org/wp-content/uploads/2019/10/Encryption-Policy-
Template-FINAL.pdf

Verry, J. (2019, May 8). Discover the 4 steps to building an information security plan. Pivot
Point Security. Retrieved December 11, 2022, from https://www.pivotpointsecurity.com/4-
steps-building-information-security-plan/

Vic Gov. (n.d.). Cyber security strategy - victoria state government. Cyber Security Strategy.
Retrieved December 6, 2022, from https://www.vic.gov.au/sites/default/files/2019-
07/Victorian-Government-Cyber-security-Strategy-2016-2020.pdf

VicGov. (n.d.). Cyber security strategy - victoria state government. VicGov. Retrieved
November 27, 2022, from https://www.vic.gov.au/sites/default/files/2019-07/Victorian-
Government-Cyber-security-Strategy-2016-2020.pdf |

Whitcher, C. (2022, December 14). Least privilege principles - how to avoid dangerous and
costly mistakes. Sath.com. Retrieved December 29, 2022, from https://sath.com/least-
privilege-principles/

Whitcher, C. (2022, December 20). Access control policy template. Sath.com. Retrieved
December 17, 2022, from https://sath.com/access-control-policy-template/#07

Zeltser, L. (2019, January 23). Write a strong executive summary for Your Security
Assessment Report. Lenny Zeltser Content. Retrieved January 18, 2023, from
https://zeltser.com/executive-summary-for-security-assessment-report-tips/

View publication stats