Professional Documents
Culture Documents
L13 SecMgmtGov Revision 19s2-1
L13 SecMgmtGov Revision 19s2-1
(BIT361)
SEMESTER 2, REVISION 2019
Note: the exam will have the following rules that must be followed:
Instructions:
Marks:
Part A – 30 marks
Part B – 60 marks
Total – 90 marks (50% of the total assessment)
1. There are several definitions of the term security. Find two different definitions and
compare them.
2. When designing security measures or controls, some feel these may restrict the
organisation. Discuss how the use of controls impacts design consideration of control
measures. Discuss the relationship between an organisations mission and strategies and
the implementation of a security program.
Page 1
3. Management and governance are two important concepts in any organisation. What are
the goals and responsibilities each and how do they interact/reinforce one another?
5. Define the terms baselining and benchmarking Describe the purpose of baselining and
benchmarking when developing a security program.
6. A security model is different from security blueprint. Discuss the purpose and use of
each.
7. Define the terms ‘Security Policy’ and ‘Security Appetite’. How does an organisation’s
‘Security Appetite’ relate to the selection of control strategies? Security Polices need to
be developed, implemented, and maintained. What do the terms developed, implemented,
and maintained mean? Why is each important?
8. Access control consists of four processes. Describe each of these processes. What are the
major approaches to authentication? Give examples of each.
9. Risk management and contingency plans must be tested. What approaches to testing the
plans are available? What are the difficulties/strengths of each? Risk assessment, risk
management, and contingency planning are three different aspects of security planning,
implementation, and operations. Discuss the role of each, the tasks that need to be
performed for each and how they relate to one another.
12. Describe the purpose and use of Benchmarking and Baselining when developing and
implementing a security program. What are the limitations of each approach?
13. Define the terms Threat, vulnerability, asset, control. Discuss how they are used in
determining a risk management plan.
Page 2
14. What is risk assessment? What is risk management? Describe the steps used to perform a
risk assessment? After a risk assessment is performed, strategies for controlling risk need
to be determined. What are the common strategies used to control risk? Describe each of
these strategies. Prepare a diagram that depicts the risk management process.
15. The terms ‘qualitative’ and ‘quantitative’ are frequently used to discuss measures or
metrics in the text. What does each of these terms mean? Why or when should each type
of measure be used? When or why should each NOT be used?
16. Discuss the importance of an organisation’s values, vision and mission statements. What
roles do these statements play in determining n organisation’s strategies?
17. What are the security precautions that need to be put in place when recruiting and hiring
new employees? What steps need to be taken when an employee leaves an organisation?
18. What is a contingency plan? What are its key components? What is the purpose of each of
these components? Describe the process of creating a contingency plan. In the case of a
severe event, discuss the order in which the plan is implemented. How does risk
management relate to contingency planning?
Page 3
19. Identifying the assets of an organization is a necessary aspect of performing a risk
assessment. What are the key information system components (or categories) that can be
used to help one identify the information assets of an organization?
20. What does it mean to prioritize an organisation’s assets? What techniques can be used to
prioritize them? What assets in each category can you find in the Healthy Dinners Case
Study?
21. Using several of the assets you have identified, complete the table below.
22. Using the following threats: (Most serious) Espionage, human error, and (least serious)
hardware failure. and the assets from the previous question, complete the first row and
column of the following TVA table. For the assets you have listed, suggest a vulnerability
for each asset/ threat combination and complete the TVA table.
Assets
Threats
Page 4