Naam: ___________________________

Ouditkunde 378 /
Auditing 378
US number: ______________________

Huiswerk 1/ Homework 1 Kursus: _________________________

15 punte

U is ‘n ouditeur by die firma Mstr_yoda en Vennote. U beste vriend, Johann du Plooy,

is ‘n direkteur van Bruinwaves Bpk en het u genader om hulp. Die maatskappy is ‘n
reisagentskap, wat eksklusiewe reise reël vir persone wat nie net ‘n vakansie wil hê
nie, maar ook sekuriteitsdienste. Die meeste van die maatskappy se kliënte is
buitelandse vermaaklikheidsterre. Hierdie persone verkies om hul reisplanne ‘n
geheim te hou, sowel as om sekuriteit te geniet. Bruinwaves Bpk het reeds ‘n goeie
beeld opgebou dat hulle betroubaar is om sulke reëlings te tref.

Nadat die maatskappy betrokke was by die reisreëlings van bekende sterre Brads
Armpitts en Angrelina Doily, het hulle vinnig besef dat die sekuriteit van hul data met
betrekking tot vertroulike inligting van hul kliënte nie voldoende is nie. Die risiko dat
inligting in ongemagtigde hande beland het net te groot begin word.

Die stelsel is tans baie eenvoudig en laat werknemers toe om by hulle terminale, wat
alles in een oopplan kantoor is, aan te teken met ‘n wagwoord. Dit gee dan vir die
persoon toegang tot die hele netwerkstelsel. Die netwerk is slegs ‘n lokale area
netwerk en het tans geen koppeling aan die internet nie. Die persoon wat
aangeteken is, het dan toegang tot al die inligting wat op die bediener se hardeskyf
gelaai is.

Die gebou is gewoonlik gesluit in die aande en daar is ‘n sekuriteitswag wat elke 20
minute patroleer om te kyk of alles in orde is.

VERLANG

Rig ‘n memorandum aan u vriend, Johann du Plooy, waarin u voorstelle verskaf om

die sekuriteit van hulle vertroulike inligting te verbeter. (15)

1
2
 Naam: ___________________________
Ouditkunde 378 /
Auditing 378
US number: ______________________

Huiswerk 1/ Homework 1 Kursus: _________________________

15 marks

You are a auditor at the firm Mstr_yoda and Partners. Your best friend, Johann du
Plooy, is a director of Bruinwaves Ltd and contacted you for assistance. The
company is a travel agent, which organises exclusive tours for people that does not
only want a holiday, but also additional security services. Most of the company’s
clients are overseas entertainment celebrities. These people prefer to keep their
travel arrangements confidential and have additional security. Bruinwaves Ltd has
built up a good reputation that they can be trusted to make such arrangements.

After the company was involved with the travel arrangements of well known
celebrities, Brads Armpitts and Angrelina Doily, they quickly realised that the security
with regards to confidential information of their clients is not up to standard. The risk
that the information gets into the wrong hands has just become too big.

The system is currently quite a simple one and allows employees to log in at their
terminals, which are all located in an open plan office, with a password. This then
gives the user access to the whole network system. The network is only a local area
network, and currently without a connection to the internet. The user who is logged
on, has access to all the information that is stored on the server.

The building is usually locked at night and there is a security guard which patrols
every 20 minutes to ensure that everything is in order.

REQUIRED

Write a memorandum to your friend, Johann du Plooy, where you give suggestions to
improve the security around their confidential information. (15)

3
4
 Ouditkunde 378 /
Auditing 378

Huiswerk 1/ Homework 1

15 punte

MEMORANDUM

AAN: Johann du Plooy

VANAF: Mstr_yoda en Vennote
RE: Sekuriteit om data beskerming
Datum

Hiermee die voorstelle vir verbetering van u sekuriteit rondom u vertroulike inligting.

Sekuriteitsbestuur

‘n Dokument wat duidelike sekuriteitsbeleid uiteensit, moet opgestel word, sodat elke
personeellid dit kan teken en verantwoordelik gehou kan word indien nodig. (1)

Fisiese toegangsbeheer

Installeer ‘n kaartleser stelsel of iets soortgelyks wat nie net die toegang van persone
beperk nie, maar ook die persoon kan identifiseer wanneer toegang verkry word. (1)

Terminale behoort gesluit te word met ‘n terminaal sleutel sodat enige iemand nie die
rekenaar kan aanskakel nie. (1)

Gemagtigde terminale

Elke terminaal behoort slegs toegang te hê tot inligting en proggramatuur wat deur
daardie spesifieke werknemer gebruik word. (1)

Terminale kan opgestel word, sodat slegs sekere gebruikers op daardie terminaal
kan aanteken. (1)

Gemagtigde gebruikers

Gebruikers behoort elkeen ‘n unieke gebruikersnaam (1)

en wagwoord te hê (sien puntetoekennning hieronder).

Die stelsel moet dan ‘n magtigingstabel / -matriks gebruik om die gebruiker se regte
vas te stel en dan slegs toegang tot sekere funksies en inligting aan hierdie gebruiker
verleen. (1)

Die stelsel behoort ‘n aktiwiteitsregister by te hou van wanneer persone aanteken op

die stelsel, sodat rekord gehou kan word wie wanneer aanteken. Hierdie register
moet nagesien word (1)

5
Wagwoordbeheer: (Maks 5)
- Wagwoorde moet uniek wees. (1)
- Persone behoort wagwoorde te hê wat alfnumeries is en ten minste 5
karakters het. (1)
- Persone behoort gereeld hul wagwoorde te verander. (1)
- Wagwoorde moet nie op skerm vertoon word nie. (1)
- Die keuse van wagwoorde is belangrik – dit moet nie voor die handliggend
wees of aan die gebruiker gekoppel kan word nie. (1)
- Persone wat bedank se wagwoorde behoort van die lêer verwyder te word.
(1)
- Geheimhouding van wagwoorde is noodsaaklik. (1)

Die terminaal behoort af te skakel nadat daar 3 onsuksesvolle pogings tot toegang
was. (1)

Terminaal behoort self uit te teken indien daar ‘n hoeveelheid minute verby gegaan
het vandat daar laas aktiwiteite was en vereis dat die wagwoord heringevoer word
om toegang te verkry. (1)

In geval van ‘n sekuriteitsbreuk moet die stelsel outomaties afskakel. (1)

‘n Uitsonderingsverslag behoort opgestel te word van alle onsuksesvolle pogings om

aan te teken en dit moet deur ‘n senior persoon nagegaan word. (1)

Kontak ons gerus indien daar enige verdere kwessies is waarmee ons u kan
bystaan.

BESKIKBAAR 17
MAKSIMUM 14
MEMORANDUM FORMAAT 1
TOTAAL 15

6
 Ouditkunde 378 /
Auditing 378

Huiswerk 1/ Homework 1

15 marks

MEMORANDUM

TO: Johann du Plooy

FROM: Mstr_yoda en Vennote
RE: Security to protect data
Date

Herewith the suggestions for improvement of the security around your confidential
information.

Security management

A document that clearly stipulates the security policy needs to be created, so that
each employee can sign it and be held responsible if necessary. (1)

Physical access controls

A card reader system or something similar should be installed which can not only
restrict the access of people, but can also identify a person when access is gained.
(2)

Terminals should be locked by a terminal key so that not any person can switch the
computer on. (1)

Authorised terminals

Every terminal should only have access to information and software that is used by
that specific employee. (1)

Terminals can be set up to only allow certain users to log on to that terminal. (1)

Authorised users

User should each have their own unique user names and passwords. (1)

The system should then use a authorisation table / -matrix to ascertain the users
rights and then only allow access to certain functions and information to the user. (1)

The system should keep an activity log when users log on to the system, in order to
keep a record of who logged on when. (1)

7
Password control: (max 5)
- The password must be unique (1)
- Persons should have alphanumeric passwords with a minimum amount of
characters (1)
- Persons should regularly change their passwords. (1)
- The password should not be shown on the screen. (1)
- The choice of password in important – It should not be obvious or be linked
to the user . (1)
- All the passwords from persons that leave the company should be
removed from the file. (1)
- Secrecy of the password is imperative. (1)

The terminal should shut down after there was 3 unsuccessful attempts to access the
system. (1)

The terminal should log out itself after a certain amount of minutes has gone by
without any activity. (1)

In the event of security breaches, the system should switch off automatically. (1)

An exception report should be created of all unsuccessful attempts to log on to the

system and it should be reviewed by a senior person. (1)

Please contact us again if there are any further issues which we can assist you with.

AVAILABLE 17
MAXIMUM 14
MEMORANDUM FORMAT 1
TOTAL 15