December 1998
SC223: COMPUTER SECURITY

QUESTION 3

Total Marks: 20 Marks

 Click here to access other questions

SUGGESTED SOLUTIONS
Solutions and allocated marks are indicated in green.
Return to Question 3

 
(a) (i) Name four activities which are carried out by internal auditors during the auditing process. [4]
One mark should be awarded for each valid point (up to a maximum of four marks). Examples include the following:
  • Be actively involved in the development process.
  • Ensure adequate audit and security requirements are incorporated.
  • Participate in reviews at project checkpoints.
  • Review application systems.
  • Review computer security policy and procedures.
  • Introduce advanced techniques for auditing sophisticated computer systems.

Other sensible answers should also receive credit.

 
(ii) What is the primary function of an external auditor? [1]
The external auditor’s primary function is to express an opinion on an organisation’s accounts procedures, based on an examination of books and records.

Other sensible answers should also receive credit.

 
(iii) Why is the role of an internal auditor not simply an extension of that of an external auditor? [1]
Because the internal auditor may have a high level role which aims at reporting on the managerial effectiveness of the organisation, or their role may involve primarily checking on systems and procedures and investigating whether these are being enforced.

Other sensible answers should also receive credit.

 
(b) (i) Why are auditors sometimes actively discouraged from auditing through complex computer systems? [1]
Because, typically, a communication gap exists in that the auditors rarely have any deep computer expertise.

Other sensible answers should also receive credit.

 
(ii) Why are considerable sums of money typically expended on providing security for systems which are already operational? [1]
Because very few systems which are currently in existence have had security as a prime objective.

Other sensible answers should also receive credit.

 
(iii) Name two problems in ensuring that the audit function makes a realistic contribution to computer security. [2]
One mark should be awarded for each valid point (up to a maximum of two marks). Examples include the following:
  • The provision of adequate trained personnel.
  • There has been very limited training available either for auditors or for managers in the objectives, scope and approach of computer auditing.

Other sensible answers should also receive credit.

 
(c) (i) Describe three ways of protecting original products. [6]
One mark should be awarded for each valid point, and a further mark should be awarded for each satisfactory elaboration.
  • Copyrights (1 mark). Copyrights apply to creative works, such as programs, songs or stories, and are designed to protect the expression of ideas (1 mark).
  • Patents (1 mark). Patents are designed to protect devices or processes which carry out ideas –rather than the ideas themselves—and apply to the results of science, engineering, and technology (1 mark).
  • Trade secrets (1 mark). A trade secret is information which gives one company a competitive advantage over others: such information must be kept secret; it has no value otherwise (1 mark).

Other sensible answers should also receive credit.

 
(ii) For each of the following, identify which method of protection is most appropriate :
  • Documentation.
  • A customer mailing list.
  • Chips.
  • Software.

 

 [4]
One mark should be awarded for each of the following:
  • Documentation : copyright.
  • Customer mailing list: trade secret.
  • Chips: patent.
  • Software: copyright.