CHAPTER 4

SITUATIONAL PROBLEM

SINAG Designs hired a consulting firm three months ago to redesign the information system
used by the architects. The architects will be able to use state-of-the-art CAD (Computer Aided Design)
programs to help in designing the products.

Further, they will be able to store these designs on a network server where they and other
architects may be able to call them back up for future designs with similar components. The consulting
firm has been instructed to develop they system without disrupting the architects. In fact, top management
believes that the best route is to develop the system and then to "introduce" it to the architects during a
training a session.

Management does not want the architects to spend precious billable hours guessing about the new
system or putting work off until the new system is working. Thus, the consultants are operating under a
shroud secrecy.

A. Do you think that management is taking the best course of action for the announcement of the
new system? Why?

No. Management should announce the plan and try to gain support from the very beginning. This
is done by letting the people from intended audience, document and reflect on any defects, irregularities
and workflow mismatches which are discovered while working with the software. It gives the intended
users a chance to check the system or software before implementation and see if it fits with their current
ways of implementing business process. Secrets are not easily held in or organizations. The consultants
will be seen in meetings with management. The proposed plan will probably backfire and cause the
architects to waste time trying to guess what is happening. Anxiety may result, and as a worst case
scenario, some of the best and most marketable employees may seek employment elsewhere.

B. Do you approve of the development process? Why?

Yes, in order to be competitive in the market, an organization must constantly build, replace and
maintain their information system. Development process is relevant because it provides a well-define
road map so that all groups who are engage in the project understand the overall process and where and
how they fit into the process. However, in the problem, they do not engage the users in the analysis phase
where system requirements will be define. The management should consider whether the development of
the system satisfies the users or not with respect to their needs and requirements. The systems
development process should include the end users. The time invested in doing UAT leads to significant
improvements in the system quality. The day-to-day users of the CAD system will be the architects, and
these architects should play a very active role in the development process. Hence, the engagement of the
users in the development process is relevant to minimize the risks that the new system will cause business
interruptions.

CHAPTER 5

EXERCISE II
 RISKS
1.
 Damage of hardware system
 Loss of data due to hardware damage
 Data loss and hardware damage incur a lot
of additional overhead of maintenance and
repairing for the company.
 Catastrophic damage to computer
equipment and electronic data
2.
 Attackers frequently resort to searching
trash for useful information, they can
learn a lot about a person or company
from the discarded information.
 Generally, most dumpsters and trash do
not come which means accessibility of
these confidential information by those
who are not authorized to use information
and might use these information to access
customers’ data and theft.
3.
 System crash or data corruption
 Destruction of some confidential data
and application program and
inaccessibility of these information.
PREVENTIVE CONTROL
 The network manager should adhere to a
policy of prohibiting food, liquids and
the like at or near by the mainframe,
constant backup, gas suppressant.
 Security cameras, badge reader and sign
placement at door to computer room.
Discipline anyone that disobeys signage.
 Consider to install supplementary fire
protection such as “clean agent fire
protection”. This utilize colorless,
odorless gases fire protection fluid that
are non-toxic, non-conductive, and non-
corrosive.
 Must formulate error detection internal
controls to easily detect errors that might
cause malfunction of OS and might result
to leakage of relevant information and
data. Having a separation of duties
between program design and program
operating would most likely prevent this
problem. Also having no external disk
access on critical systems.
 There should be management
commitment and employee awareness.
When it involves the shredding or burning
of all-important printed documents.
 Must install a strong anti-virus
application to ensure that the
computers are secures from viruses
and make sure that the anti-virus are
up-to-date as to its features.
 A preventative block would be to give
the secretary a general user account to
limiting her access to critical systems
during her transition out of the
company.
 Virus detection, restrict access to who
is allowed to put a new software to
system, intrusion detection system,
deny access when there are many
person trying to access (DDos)
4.
 The virus can be an avenue for the
cybercriminals to collect relevant data of the
company.
 This can alert hackers to the infected
company’s mainframe and opens the door
for more damage to be done. It is possible
that they can view private files or even watch
what is displayed on the target’s monitor in
real time, which can lead to embarrassing
situations.
5.
 Accessibility of relevant data and
information by the competitor of the
business.
 Can blackmail their former boss, extorting
them for money by threatening to leak
private data.
 They may also blackmail business by
cutting off access to corporate websites and
applications until their demands are met.
EXERCISE III
A. Length of Password
Lengthy passwords are often associated with an increase in password entropy, which
basically is the measure of how much uncertainty there is in a key. An increase in entropy is seen
 IT governance policy: Don’t allow
people to install programs on operating
system except admin.
 Install subscription-based software.
 Avoid downloading applications from
the internet, especially if the site is not
trusted and avoid using other
applications in the workplace which
are not approved by the management.
 Upon, Murray’s announcement that he
is leaving, his access privileges should
have been revoked and he should have
been escorted from his premises.
Further, since he had access to all
other users’ passwords, a message
should immediately be sent to all
users requiring them to change their
password or have their account locked
until they do make the change.
 Change the passwords for all
privileged, shared or critical password
that the ex-employee had access to.
 Ensure every shared log-in uses a
strong, randomized password created
with password generator.
 Set-up a business password manager
to be used by every employee within
the organization. Centralize all
passwords and other critical
documentation in the password
management system.
 as directly proportional to password strength. Therefore, a lengthy list of easy-to-remember
words or a passphrase could be actually more secure than a shorter list of random characters.
Lengthy passwords made of actual words are definitely easier to remember and could help users
manage them in more secure way. Short length passwords are relatively easy to break, so the idea
is to create lengthier ones for added security and to make them less predictable.

B. The Use of Numbers or Symbols in Passwords

The greater variety of characters in the password, the harder it is to guess. Password will
be much stronger if it includes all the symbols including punctuation marks and any symbols
unique to your language. An organization should establish and enforce a policies regarding the
use of numbers and symbols on making a password because it is safer since numbers, letters and
special symbols increases the number of combination. So in event of brute-force attack where
attackers tries all permutation and combination of password will be difficult to conduct as there
are so many possible combination of password.

C. Using Common Words or Names as Password

Passwords shall not consist of well-known or publicly posted identification information.

Names, usernames such as the My ID, and ID numbers are all examples of well know
identification information that should not be used as a password. Using common names will be an
avenue of a dictionary attack. An attack that takes advantage of the fact people tend to use
common words and short passwords. The hacker uses a list of common words, the dictionary, and
tries them, often with numbers before and/or after the words, against accounts in a company for
each username.

D. Rotation of Password

Password rotation refers to the changing/resetting of a password(s). Limiting the lifespan

of a password reduces the risk from and effectiveness of password-based attacks and exploits, by
condensing the window of time during which a stolen password may be valid. Password rotation
should be implemented across every account, system, networked hardware and IoT device,
application and services. Passwords should be unique, never reused or repeated, and randomized
on a scheduled basis, upon check-in, or in response to a specific threat or vulnerability.

E. Writing Passwords on Paper or Sticky Notes

As information security vulnerabilities go, writing a password on a piece of paper or

sticky note is low tech but profoundly dangerous nonetheless. The consequences of employees
scribbling down passwords on a piece of paper are potentially devastating. In some cases, it might
be fine to write the password on a piece of paper and make it visible for everyone who is going to
use it, but this should only be done if no outside people enter the office.
Final Output
In
AUDCISE
(11:00-12:00 MWF)

Submitted by:
Maceda, Arjay A
Manzala, Ricalyn P.
Salvatierra, Nalieta L.
Terceño, Erika Marie C.

Submitted to:
Albert Malquisto
October 2019