Professional Documents
Culture Documents
Youth
Youth
COURSE : BBIT
1) (i) What are some examples of security threats that IT professionals commonly
encounter in today's landscape? (6)
Phishing attacks: Attempts to trick individuals into divulging sensitive information
or downloading malicious software through deceptive emails or messages.
Malware infections: Software designed to disrupt, damage, or gain unauthorized
access to computer systems, often spread through malicious links, downloads, or
infected files.
DDoS (Distributed Denial of Service) attacks: Overwhelming a target server or
network with a flood of traffic from multiple sources, rendering it inaccessible to
legitimate users.
Ransomware incidents: Malicious software that encrypts files or locks users out of
their systems, demanding payment (usually in cryptocurrency) for decryption or
restoration.
Insider threats: Risks posed by individuals within an organization who misuse their
access privileges, intentionally or unintentionally, to compromise data or systems.
Data breaches: Unauthorized access to sensitive or confidential information, often
resulting in the exposure or theft of personal or corporate data.
ii) Outline possible repercussions for organizations if they fail to sufficiently mitigate
security threats (6)
Financial Losses: Organizations may incur significant financial losses due to costs
associated with incident response, system repairs, legal fees, regulatory fines, and
compensation for affected parties.
Reputational Damage: Security breaches can tarnish an organization's reputation,
leading to loss of trust among customers, partners, and stakeholders. This can result in
decreased sales, loss of business opportunities, and difficulty in attracting top talent.
Legal Consequences: Failure to adequately protect sensitive data may lead to legal
liabilities, lawsuits, and regulatory penalties for non-compliance with data protection
laws such as GDPR, HIPAA, or CCPA.
Operational Disruption: Security incidents can disrupt normal business operations,
causing downtime, loss of productivity, and delays in delivering products or services
to customers.
Intellectual Property Theft: Unauthorized access to intellectual property or trade
secrets can result in competitive disadvantage, loss of market share, and erosion of
innovation.
Long-term Business Impact: Persistent security issues may lead to erosion of market
position, diminished investor confidence, and even potential business failure if not
effectively addressed, impacting the organization's long-term viability and
sustainability.
2) Explain the key professional issues faced by the IT industry in Kenya and the
world at large (10) .
Skills Gap: There's a shortage of skilled IT professionals, both in technical and soft
skills, hindering the industry's growth and innovation.
Talent Retention: High demand for IT talent leads to increased competition among
employers, making talent retention a challenge, particularly in the face of attractive
opportunities abroad.
Data Collection and Transparency: Balancing the need for transparency and access
to information with individuals' right to control their personal data, especially in cases
where sensitive information is collected and shared without consent.
Data Retention and Access: Resolving tensions between retaining data for legitimate
purposes such as law enforcement or research, while ensuring individuals' rights to
have their data deleted or anonymized to protect their privacy.
Public Interest vs. Personal Privacy: Weighing the public interest in accessing
certain information, such as government records or corporate data, against individuals'
rights to privacy and protection from unwarranted intrusion.
4) How do the ethical principles outlined in the ACM Code of Ethics and
Professional Conduct shape behavior and professional responsibilities within
the field of computing? (5)
Providing Guidelines: Offering clear guidelines for ethical behavior and decision-
making, guiding professionals in navigating complex ethical dilemmas.
5). Describe the laws or principles governing the protection of Information (5)
General Data Protection Regulation (GDPR): A comprehensive European Union
regulation that governs the collection, processing, and storage of personal data of
individuals within the EU, emphasizing principles such as consent, transparency, and
data minimization.
Health Insurance Portability and Accountability Act (HIPAA): U.S. legislation
that sets standards for the protection of sensitive patient health information (PHI) and
establishes guidelines for healthcare providers, insurers, and business associates to
safeguard PHI.
California Consumer Privacy Act (CCPA): California state law that grants
consumers greater control over their personal information held by businesses,
requiring transparency about data practices, opt-out options, and safeguards against
unauthorized access or disclosure.
Principle of Confidentiality: A fundamental ethical principle that requires
professionals to maintain the confidentiality of sensitive information entrusted to
them, prohibiting unauthorized access, use, or disclosure.
ISO/IEC 27001: An international standard specifying requirements for establishing,
implementing, maintaining, and continually improving an information security
management system (ISMS), providing a framework for organizations to manage
information security risks effectively.
6). Give four general rules that must be observed to keep within the Law when working
with Data and information ( 4marks)
Obtain Consent: Ensure that individuals have given clear and explicit consent for the
collection, processing, and sharing of their personal data, adhering to relevant data
protection regulations such as GDPR or CCPA.
Limit Data Collection: Collect only the data that is necessary for the intended
purpose and refrain from collecting excessive or irrelevant information to minimize
privacy risks and legal liabilities.
Protect Data Security: Implement appropriate security measures to safeguard data
against unauthorized access, disclosure, alteration, or destruction, maintaining
compliance with industry standards and regulations such as ISO/IEC 27001.
Respect Data Retention Limits: Adhere to legal requirements and best practices
regarding the retention and disposal of data, ensuring that data is retained only for as
long as necessary and securely disposed of when no longer needed.
7). What role do IT professionals play in identifying and responding to potential
cybersecurity breaches, as exemplified by the situation faced by XYZ Corporation's IT
security team during the routine security audit? (5)
Conducting Regular Audits: Performing routine security audits to identify
vulnerabilities and assess the effectiveness of existing security measures,
Monitoring Systems: Continuously monitoring network traffic, system logs, and
security alerts for any suspicious activities or anomalies that may indicate a
cybersecurity breach.
Implementing Security Measures: Deploying and maintaining robust cybersecurity
measures, such as firewalls, intrusion detection systems, and encryption protocols, to
prevent and detect potential breaches.
Incident Response: Developing and implementing incident response plans to swiftly
respond to cybersecurity incidents, including containment, investigation, and
mitigation of the breach to minimize damage and restore normal operations.
Collaboration and Communication: Collaborating with internal teams, external
stakeholders, and law enforcement agencies to coordinate response efforts and share
information about emerging threats and best practices for cybersecurity defense.
8). List prominent professional bodies and organizations in Kenya related to the field of
computing and information technology (3marks).
Computer Society of Kenya (CSK): A professional association dedicated to
advancing the practice of computing and promoting excellence in the field of
information and communication technology (ICT) in Kenya.
Information Communication Technology Association of Kenya (ICTAK): An
organization that represents the interests of ICT professionals and practitioners in
Kenya, advocating for the development and adoption of ICT solutions for
socioeconomic development.
Kenya ICT Action Network (KICTANet): A multi-stakeholder platform that
facilitates dialogue, collaboration, and policy advocacy on ICT-related issues in
Kenya, promoting an inclusive and sustainable ICT ecosystem.