August
1997 QUESTION 2 Total Marks: 20 Marks |
Click here to access other
questions
SUGGESTED SOLUTIONS |
| 2. | You have been asked to conduct an audit of a particular organisation's security systems. | |||
| (a) What aspects of the organisation's activity would you consider? Give an example in each case. | [8] | |||
| Areas of possible concern include: | ||||
| physical security with respect to environmental problems, including storage of magnetic media, location, etc. | ||||
| possibility of criminal activity, unauthorised access to data, theft of data or equipment | ||||
| a proper system of records, logging, documentation of procedures, security rules, system management and access control | ||||
| suitable contingency plans, backup and recovery | ||||
| up to 2 marks for each area, making a total of 8 marks for this part of the question; in each case, 1 mark should be allocated for the correct identification of a separate area of concern - there are four identified above - and 1 mark should be allocated for a suitable example or detailed explanation of the point. | ||||
| [8 marks] | ||||
| (b) What should be taken into consideration when formulating backup and recovery plans? | [6] | |||
| When formulating backup and recovery plans, we should consider | ||||
| the continuation of the Data Processing function following a possible disaster | [1] | |||
| arrangements such as reciprocal agreements or alternative sites | [1] | |||
| the relative priority of different activities and data should be determined in advance of any disaster | [1] | |||
| periodic testing of plans | [1] | |||
| coverage of plan should include location, personnel, equipment, printed media, as well as magnetic media | [1] | |||
| planning team should be established; responsibilities should be allocated | [1] | |||
| several generations of records should be maintained; at least one of these should be at a different location | [1] | |||
| identification of and provision for replacement equipment and communication facilities | [1] | |||
| 1 mark for each separate consideration, up to a maximum of 6 marks | ||||
| [6 marks] | ||||
| (c) Identify and explain three stages in the initiation of a security programme. | [6] | |||
| The three obvious stages are: | ||||
| obtain management approval: | [1] | |||
| make and keep management aware of consequences of a disaster; identify and explain cost of programme; obtain management input; avoid problems later (1 mark for any suitable explanation) | ||||
| establish and train a data security organisation: | [1] | |||
| provide an organisation and assign responsibilities; separate conflicting duties | [1] | |||
| carry out priority actions: | [1] | |||
| identify vital records and programs; arrange for backup in secure storage; arrange for alternative data processing capability; impose access control (1 mark for any suitable explanation). | ||||
| in each case, one mark for a correct identification of the stage, and 1 mark for a genuine explanation | ||||
| [6 marks] | ||||