Reference no: EM132550122

Question Q1:
a) Explain, what main functions under an InfoSec program would you recommend a smaller organisation with three full time staff and two or three part-time roles from other parts of the business.? Specify for InfoSec department and other departments. Specify the functions that would be performed by the different departments and indicate if any functions could be outsourced. Justify your allocation of functions.

b) The New Zealand Privacy Act 1993 focuses on the storage and security of personal information. It requires agencies to ensure that the personal information is protected by reasonable security safeguards. Discuss how the New Zealand COVID tracing app adheres to all the relevant principles of the New Zealand Privacy Act and ensures that there will be no personal data compromise? information in consideration of each of the specific principles of New Zealand Privacy Act?.

Question Q2:
a) Consider a data classification scheme that contains the categories "confidential", "sensitive", and "unclassified" . Define these categories first, and then apply them to categorise five information assets contained in your personal computer. Explain the reason for the classification of each of the assets.

b) Consider a home office that comprises a laptop running the latest Windows OS, a monitor, a wireless keyboard and a wireless mouse ( one dongle), a backup device (external hard disk), an external DVD drive, and a fibre optic based Internet connection managed by an ISP that connects the home office Wi-Fi to the Internet. Perform a TVA (threat -vulnerability-asset) assessment of the home office IT infrastructure based on your general knowledge about the hardware described. Include all assets and identify at least three threats (see Table 6-8 on page 341).

Question Q3:
a) What risk treatment strategies would you recommend to banking industry as part of their information security program? Explain these in the context of the various business processes and resources.
b) Consider the case of ABC Software Company which is facing a number of major information security threats (as listed in the table below). The information security team has estimated the cost per incident which the company will bear if the threat is materialised. Calculate the Single Loss Expectancy (SLE), Annualized Rate of Occurrence (ARO), and Annualized Loss Expectancy (ALE) for each threat.

 

ABC Software Cost per             Frequency of             SLE ARO ALE

Company major incident         Occurrence

threats

Programmer      $4,500.00     2 per week

mistakes

Flood            $250,000.00     1 per 10 years

Virus, Worms, $1,500.00        1 per week

Trojan

Denial-of-                   $6,500.00     1 per quarter

service attacks

Theft of            $6,000.00     1 per 6 months

information

Question Q4:
a) Consider a tertiary education organization (e.g., a university). Consider applying mandatory access controls vs non-discretionary access controls with respect to student records. (Assume that student records include these four categories: (i) personal details,( H) external documents supplied by the student, (Hi) records about study progress, e.g., enrolment and grades , and (iv) internal documents generated administratively such as letters sent to the student). Which approach would you recommend, mandatory access controls or nondiscretionary access controls? Justify your recommendation, referring specifically to the four categories above.

b) Why is it a good security practice to collect and report near-miss event in which major incidents were only narrowly averted (such as spam messages that were not filtered out ) need to be collected and reported? Explain your answer providing five examples of hypothetical near-miss events. and what weaknesses they may indicate.