Dec 1998 SC223: Computer Security (Question 5)

(a)	Identify assets and determining vulnerabilities are two steps involved in analysing the security risks associated with a computing system. Name the other four.	[4]
	One mark should be awarded for each valid point. Estimate likelihood of exploitation. Compute expected annual loss. Survey applicable controls and their costs. Project annual savings of control.
(b)	(i) Describe the reason for and the purpose of a security plan.	[2]
	The reason for a security plan is to describe how an organisation will address its security needs (1 mark). The purpose of a security plan is to identify and organise the security activities of a computing system (1 mark). Other sensible answers should also receive credit.
	(ii) Describe two issues which must be addressed by a security plan.	[4]
	One mark should be awarded for each valid point, and a further mark should be awarded for a satisfactory elaboration (up to a maximum of four marks). Policy (1 mark). This indicates the goals of computer security effort and the willingness to work to achieve these goals (1 mark). Current state (1 mark). This describes the status of security at the time of the plan (1 mark). Recommendations and requirements (1 mark). These describe how the security goals may be met (1 mark). Timetable (1 mark). This identifies the different security functions which are to be carried out and when (1 mark). Continuing attention (1 mark). This specifies a structure for updating the security plan periodically (1 mark).
	(iii) Name two groups which should be represented on a security planning team.	[2]
	One mark should be awarded for each valid point (up to a maximum of two marks). Computer hardware group. Systems programmers. Application programmers. Physical security personnel. User representatives.
(c)	Describe two methods of developing and maintaining backup resources which may be used in the event of a disaster.	[4]
	One mark should be awarded for each valid point, and a further mark should be awarded for a satisfactory elaboration (up to a maximum of four marks). Cooperative agreement (1 mark). This involves finding a business partner which is prepared to share its computing resources with you (and vice versa) in the event of a disaster (1 mark). Hot and cold sites (1 mark). This is fee paying arrangement with a third party or service provider, in which a hot site has enough computing resources to take over critical applications when necessary, and a cold site has space into which equipment can be moved when necessary (1 mark). Duplicate facilities (1 mark). Here, an exact set of resources are duplicated at another location to be used as a stand-by (1 mark). Other sensible answers should also receive credit.
(d)	Describe two processes which are associated with testing a disaster plan.	[4]
	One mark should be awarded for each valid point, and a further mark should be awarded for a satisfactory elaboration (up to a maximum of four marks). Disaster simulation (1 mark). Disaster simulation testing is useful to ensure that employees are aware of the plan and are able to respond to it when required (1 mark). Evaluating the results (1 mark). Evaluating the test results ensures that both the human and technical issues are correctly dealt with (1 mark).