SECURITY MANAGEMENT AND GOVERNANCE

(BIT361)
SEMESTER 2, REVISION 2019
Note: the exam will have the following rules that must be followed:

Duration: 15 minutes reading time and

2.5 hours writing time
Room:

Instructions:

• Answer ALL questions.

• Answers should be written exam booklet.
• Ensure your name and student number is on the front of the examination paper and
exam booklet.
• Allowable Materials
o An unmarked, non-specialist, paper-based, English dictionary
o One side of one A-4 sheet, hand-written (No Photocopies allowed).
• Only approved calculators are permitted to be used during the exam.
• Calculators can be used to perform necessary calculations, but internet browsing is
strictly prohibited.
• Examination papers and other material provided by Melbourne Polytechnic are not
to be removed from the examination room.
• Use of mobile/iPad/laptop or any other technology or communication devices are
STRICTLY PROHIBITED in the exam room and will NOT BE PERMITTED
UNDER ANY CIRCUMSTANCES.

Marks:
Part A – 30 marks
Part B – 60 marks
Total – 90 marks (50% of the total assessment)

1. There are several definitions of the term security. Find two different definitions and
compare them.

2. When designing security measures or controls, some feel these may restrict the
organisation. Discuss how the use of controls impacts design consideration of control
measures. Discuss the relationship between an organisations mission and strategies and
the implementation of a security program.

Page 1
3. Management and governance are two important concepts in any organisation. What are
the goals and responsibilities each and how do they interact/reinforce one another?

4. Define the terms Policy, Guideline, and Standard.

5. Define the terms baselining and benchmarking Describe the purpose of baselining and
benchmarking when developing a security program.

6. A security model is different from security blueprint. Discuss the purpose and use of
each.

7. Define the terms ‘Security Policy’ and ‘Security Appetite’. How does an organisation’s
‘Security Appetite’ relate to the selection of control strategies? Security Polices need to
be developed, implemented, and maintained. What do the terms developed, implemented,
and maintained mean? Why is each important?

8. Access control consists of four processes. Describe each of these processes. What are the
major approaches to authentication? Give examples of each.

9. Risk management and contingency plans must be tested. What approaches to testing the
plans are available? What are the difficulties/strengths of each? Risk assessment, risk
management, and contingency planning are three different aspects of security planning,
implementation, and operations. Discuss the role of each, the tasks that need to be
performed for each and how they relate to one another.

10. The four main security areas in a large organization are:

• Functions performed by non-technology business units outside IT
• Functions performed by IT groups outside InfoSec
• Functions performed within the InfoSec department as a customer service to the
organization:
• Functions performed within the InfoSec department as a compliance enforcement
obligation
Describe the security responsibilities of each area.
11. List the common roles of employees working within the InfoSec area of an organization.
What are the tasks/responsibilities of each of these roles?

12. Describe the purpose and use of Benchmarking and Baselining when developing and
implementing a security program. What are the limitations of each approach?

13. Define the terms Threat, vulnerability, asset, control. Discuss how they are used in
determining a risk management plan.

Page 2
14. What is risk assessment? What is risk management? Describe the steps used to perform a
risk assessment? After a risk assessment is performed, strategies for controlling risk need
to be determined. What are the common strategies used to control risk? Describe each of
these strategies. Prepare a diagram that depicts the risk management process.

15. The terms ‘qualitative’ and ‘quantitative’ are frequently used to discuss measures or
metrics in the text. What does each of these terms mean? Why or when should each type
of measure be used? When or why should each NOT be used?

16. Discuss the importance of an organisation’s values, vision and mission statements. What
roles do these statements play in determining n organisation’s strategies?

17. What are the security precautions that need to be put in place when recruiting and hiring
new employees? What steps need to be taken when an employee leaves an organisation?

18. What is a contingency plan? What are its key components? What is the purpose of each of
these components? Describe the process of creating a contingency plan. In the case of a
severe event, discuss the order in which the plan is implemented. How does risk
management relate to contingency planning?

Healthy Dinners LLC Case Study

Healthy Dinners is an evening meal delivery business. The company delivers a set of
complete meals, ready to be cooked, to individual homes. A meal consists of a menu (list of
foods to prepare), instructions for cooking the meals, and a box of all the ingredients
necessary for the meal. A customer can order single meals or a whole week’s meals – or
subscribe to the service for regular scheduled deliveries. The company has developed a
website to sell the products by receiving customer orders and payments, sending shipping
details to their packing house. The menus are created by a group of skilled chefs that prepare
the meal plans. Marketing then takes these meal plans and updates the website meal list,
prepares the menu and instructions document, then sends this to the packing house. The
packing house is located near the main food wholesale market. While marketing, menu
planning and headquarters are located in the central city. All of their data is stored on their
servers at the city office. Each physical location has internet connection and a VPN is used to
support the internal networking requirements across all locations. The servers for the online
presence are run by an outside provider. High quality printing devices are used at the packing
house to print the menus. In-house developed software is used to determine the delivery
schedules and packing requirements for each day. This includes providing a set of purchase
orders for goods that need to be purchased to fulfil the day’s shipment and packing
requirements for each customer.

Page 3
19. Identifying the assets of an organization is a necessary aspect of performing a risk
assessment. What are the key information system components (or categories) that can be
used to help one identify the information assets of an organization?

20. What does it mean to prioritize an organisation’s assets? What techniques can be used to
prioritize them? What assets in each category can you find in the Healthy Dinners Case
Study?

21. Using several of the assets you have identified, complete the table below.

Revenue Profitability Public image Score

impact Impact (Asset impact)
Criterion Weight -> 30 50 20
Assets ˅

22. Using the following threats: (Most serious) Espionage, human error, and (least serious)
hardware failure. and the assets from the previous question, complete the first row and
column of the following TVA table. For the assets you have listed, suggest a vulnerability
for each asset/ threat combination and complete the TVA table.

Assets
Threats

23. Complete the exercises in week 7’s workshop.

Page 4