_Integrate IT Security_Assessment
docx
keyboard_arrow_up
School
TAFE NSW - Sydney Institute *
*We aren’t endorsed by this school
Course
ICT50818
Subject
Information Systems
Date
Jan 9, 2024
Type
docx
Pages
21
Uploaded by AdmiralPheasantPerson135
Integrate IT security and
sustainability to project
specification
Assessment 1–Case Study & Questioning
ASSES
SMEN
TS #1
Assessment 1 – Case Study & Questioning
TASK A: ITS SECURITY REQUIREMENTS
Task A1: IT Security Requirements for Herriard IT System
These are comprehensive IT security requirements:
●
Access control requirements
Access control systems perform identification authentication and authorization of users
and entities by evaluating required login credentials that can include passwords, personal
identification numbers (PINs), biometric scans, security tokens or other authentication
factors. All the staff should follow the Role-Based Access Control (RBAC) rules and
are responsible for their access security.
●
Database system Security requirements
1.
Physical database integrity. The data of a database are immune to physical problems,
such as power failures and someone can reconstruct the database if it is destroyed
through a catastrophe.
2.
Logical database integrity. The structure of the database is preserved. With logical
integrity of a database, a modification to the value of one field does not affect other
fields, for example:
* Access control.
A user is allowed to access only authorized data, and different users
can be restricted to different modes of access (such as read or write).
* User authentication
. Every user is positively identified, both for the audit trail and
for permission to access certain data.
* Availability.
Users can access the database in general and all the data for which
they are authorized.
* Element integrity
. The data contained in each element are accurate.
* Auditability.
It is possible to track who or what has accessed or modified the
elements in the database.
●
Employ a firewall and/or intrusion prevention system (IPS) solution
This system often act as a first line of defence for your network by controlling what data
enters or leaves your network and helping to monitor, log and report malicious activity. ●
Maintain up-to-date virus security software and definitions
●
Hire a skilled IT Security and Networking Engineer
●
Use a hosted DNS solution to protect against malware downloads
A Domain Name System (DNS) security solution can help limit the risk of unauthorized
entry by proactively blocking the resolution of known bad domains.
●
Have a comprehensive reporting solution for both network management and security
review
●
Follow international rules as ISO/IEC 27001
- Information security management
Task A2 : The components that are missing in Herriard IT System and its impacts
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
In my experience, web servers and applications that have been misconfigured are way more
common than those that have been configured properly. Some examples:
1.
Debugging functions may be enabled or administrative functions are accessible to
anonymous users.
2.
Running the application with debugging enabled in production.
3.
Having directory listing enabled on the server, which leaks valuable information.
4.
Running outdated software (think WordPress plugins, old PhpMyAdmin).
5.
Having unnecessary services running on the machine.
6.
Not changing default keys and passwords. 7.
Revealing error handling information to the attackers, such as stack traces.
8.
Broken authentication. This is a collection of multiple problems that might occur
during broken authentication, but they don’t all stem from the same root cause.
9.
Failure to fully lock down or harden the server can leave improperly set file and
directory permissions.
10.
SSL vulnerabilities such as misconfigured certificates and encryption settings, the
use of default certificates, and improper authentication implementation with external
systems all have the potential to compromise the confidentiality of information.
All of these server misconfiguration features and missing components can be used by attackers to
bypass authentication methods and gain access to sensitive information, perhaps with elevated
privileges and
would be affected to IT Herriard credential to be disclosed by any other company
or attacker.
TASK A3: Identify related or relevant privacy legislation The personal information or sensitive information of the stakeholder should be well handled with
the appropriate rules and regulations. Assume, they will implement an e-commerce site the
system will obtain record and use personal information of members and clients for various
operation of the business. Because some or all of this information is predominately based on
personal information, steps need to be taken to ensure the system is adequately protecting the
privacy of the users, and their personal information. Information privacy law or data protection laws prohibit the disclosure or misuse of information
about private individuals. In the
Privacy Act of 1974
, it required to establish a code of
fair information practices that governs the collection, maintenance, use, and dissemination of
information about individuals that is maintained in systems of records by federal agencies.
In the Privacy Act 1988
, 13B - Related bodies corporate also states:
The collection of personal information (other than sensitive information) about the
individual by the body corporate from a related body corporate
The disclosure of personal information (other than sensitive information) about the
individual by the body corporate to a related body corporate.
Reference
https://www.legislation.gov.au/Details/C2019C00025
TASK A4: Identify industry standards for IT security Herriard is based in Australia, so which is the Information Security Standard they should
follow?
Information Technology
Standards
(Cyber security standards) is techniques generally set forth
in published materials that attempt to protect the cyber environment of a user or organization.
This environment includes users themselves, networks, devices, all software, processes,
information in storage or transit, applications, services, and systems that can be connected
directly or indirectly to networks. The principal objective is to reduce the risks, including
prevention or mitigation of cyber-attacks. These published materials consist of collections of
tools, policies, security concepts, security safeguards, guidelines, risk management approaches,
actions, training, best practices, assurance and technologies.
Reference
https://en.wikipedia.org/wiki/Cyber_security_standards
In Australia, the Australian Government's ISM is the standard that governs the security of
government ICT systems. The following 6 cyber security standards should be know:
1. The Australian Signals Directorate’s Top Four Mitigation Strategies to Protect Your
ICT System
The Australian Signals Directorate (ASD) is the Commonwealth’s peak advisory body on cyber
security. Its 2012 publication, Top four mitigation strategies to protect your ICT system, sets out
four cyber security strategies which it says, if implemented, can address up to 85% of targeted
cyber intrusions. The Top four mitigation strategies to protect your ICT system are a subset of a
wider suite of ASD’s published cyber security strategies.
2. The Australian Government Cyber Security Operations Centre’s Questions Senior
Management Need to Be Asking about Cyber Security
The Cyber Security Operations Centre (CSOC) is a joint agency under the responsibility of the
Commonwealth Attorney-General and the Minister for Defence.
3. Asic’s Cyber Resilience: Health Check (Asic Report 429)
For directors and officers of corporations and other ASIC regulated entities, this guidance from
the regulator should be compulsory reading. The Cyber Resilience: Health Check (ASIC Report
429) contains a number of ‘Health Check Prompts’ which provide useful guidance as to the
questions directors and officers can ask in assessing their organisation’s awareness of and
preparedness for cyber security issues.
4. The Office of the Australian Information Commissioner’s Guide to Securing Personal
Information – ‘Reasonable Steps’ To Protect Personal Information
The Privacy Act 1988 (Cth) requires regulated entities to ‘take such steps as are reasonable in the
circumstances’ to protect personal information from misuse, interference and loss; and from
unauthorised access, modification or disclosure (Australian Privacy Principle (APP) no. 11). But
what constitutes ‘such steps as are reasonable in the circumstances’?
The OAIC’s Guide to securing personal information – ‘reasonable steps’ to protect personal
information provides useful information and should be read in conjunction with the other
documents referred to in this article.
5. The Payment Card Industry’s Data Security Standard (Dss): Requirements and Security
Assessment Procedure
If your organisation processes card payments, it should comply with the PCI Data Security
Standard (DSS): Requirements and Security Assessment Procedures. If your organisation
outsources card payment processing, your outsourced service provider should comply with this
standard.
6. Iso/Iec Standards
The International Organisation for Standardisation (ISO) and the International Electrotechnical
Commission (IEC) publish a number of standards used across the IT industry, including specific
standards relating to IT security. The key IT and cyber security standards are the ISO 27000
series. These are highly technical and detailed publications and it is not suggested that directors
and officers become experts in these standards and their implementation. However directors and
officers can ask whether their organisation, suppliers to it and third party products and services
are compliant with applicable ISO/IEC standards such as ISO 27000. Such compliance will not
be necessary or appropriate in all cases but to ask these questions may serve as a useful prompt
for a discussion with your IT manager or CIO about whether you, your suppliers and third party
products are or should be ISO/IEC compliant.
https://www.maddocks.com.au/six-cyber-security-standards-need-know-youre-company-
director-board-member/
TASK B: RISK ANALYSIS
TASK B1: The different threats and its categorisation
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
There are several kinds of threats for IT Security including Herriard IT system, Threats can be classified according to their type and origin:
●
Types of threats:
●
Physical damage: fire, water, pollution
●
Natural events: climatic, seismic, volcanic
●
Loss of essential services: electrical power, air conditioning, telecommunication
●
Compromise of information: eavesdropping, theft of media, retrieval of discarded
materials
●
Technical failures: equipment, software, capacity saturation,
●
Man-made : error in use, abuse of rights, denial of actions
Note that a threat type can have multiple origins.
●
Deliberate: aiming at information asset
●
Spying or hacking,
●
Illegal processing of data
●
Accidental
●
Equipment Failure
●
Software Failure
●
Environmental
●
Natural Event
●
Loss of power supply
●
Negligence: Known but neglected factors, compromising the network safety and
sustainability.
TASK B2: The Security Measurement
To minimise the risk for Herriard, we need to have well analysing, accepting risks and also using
appropriate solutions. The security measures includes anti-virus, firewall, backup and recovery
plan, power fail, password protection, etc.
7 security measures should be used by Herriard:
1.
SSH Keys
SSH keys are a pair of cryptographic keys that can be used to authenticate to an SSH server as an
alternative to password-based logins. A private and public key pair are created prior to
authentication. The private key is kept secret and secure by the user, while the public key can be
shared with anyone. Firewalls
2. Firewall
A firewall is a piece of software (or hardware) that controls what services are exposed to the
network. This means blocking or restricting access to every port except for those that should be
publicly available.
Firewalls are an essential part of any server configuration. Even if your services themselves
implement security features or are restricted to the interfaces you'd like them to run on, a firewall
serves as an extra layer of protection.
3. VPNs and Private Networking
Private networks are networks that are only available to certain servers or users. For example,
DigitalOcean private networks enable isolated communication between servers in the same
account or team within the same region. A VPN, or virtual private network, is a way to create secure connections between remote
computers and present the connection as if it were a local private network. This provides a way
to configure your services as if they were on a private network and connect remote servers over
secure connections. 4. Public Key Infrastructure and SSL/TLS Encryption
Public key infrastructure, or PKI, refers to a system that is designed to create, manage, and
validate certificates for identifying individuals and encrypting communication. SSL or TLS
certificates can be used to authenticate different entities to one another. After authentication, they
can also be used to established encrypted communication.
5. Service Auditing
Service auditing is a process of discovering what services are running on the servers in your
infrastructure. Often, the default operating system is configured to run certain services at boot. Installing
additional software can sometimes pull in dependencies that are also auto-started.
6.
File Auditing and Intrusion Detection Systems
File auditing is the process of comparing the current system against a record of the files and file
characteristics of your system when it is a known-good state. This is used to detect changes to the system
that may have been authorized.
7.
Isolated Execution Environments
Isolating execution environments refers to any method in which individual components are run within
their own dedicated space.
With those above solutions, we can minimise the risk for Herriard effectively.
https://www.digitalocean.com/community/tutorials/7-security-measures-to-protect-your-servers
TASK B3: The Costs
The IT Herriard System should be aware of some costs for the IT Security Measurements as
below:
1. Password Protection
would be costless because it will be the responsibility for one of the IT
Admin Specialist.
2. Software Update
will be free if the Herriard Company buy the system of the software as full-
licensed version.
3. FireWall
. To make a secure network environment, we are about to use a Raptor
firewall and
here’s an outline of the major cost areas
Software, Hardware, Personnel, Training, Extras.
Raptor
Firewall NT v6.5 with virtual private network (VPN module) and unlimited mobile users is
$17,579. Standard maintenance contract is $1,194.
The following is some other firewall best offer for 3 PCs applied.
Name
Bitdefender (per year)
Norton (per year)
Bullguard
(per year)
McAfee (per year)
Kaspersky (per year)
Price
$59.99
$144.99
$89.95
$109.95
$59.99
Best
Offer
$39.98
$99.99
$35.98
$39.95
$29.99
4. AntiVirus
. The price of some
Antivirus software prices are listed below.
5. BackUp and Recovery Plan
. Barracuda- they offer an inexpensive Cloud data and system recovery Plan as AUD50/month
for data up to 200GB.
IBM Spectrum Protect Plus- Starting at A$74.88 per 10 managed VMs or per TB
TASK C: IT SECURITY POLICY AND OPERATIONAL PROCEDURES
TASK C1: Review Feedback
Formatting Wrong Disk threat is caused by Administrator or User Error, and sometimes it is
from the unauthorised person. Here are some control methods for this threat: 1.
Initial Backup or Initial Cloud Computing Backup. Make sure to copy all the data to
another disk or upload to the Cloud and to record each history of any action that taken in
advance. 2.
Each user’s action should be in control and supervised by IT department to monitor,
review and recognize any incorrect progress or improper actions.
3.
The documents should be protected and locked properly with frequent checks and
reviews to make sure that only the Admin has access to the password.(User Role
Permissions).
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
4.
Intrusion Detection System (IDS). Any malicious activity or violation is typically
reported either to an administrator or collected centrally using a security information and
event management (SIEM) system.
TASK C2: IT Security Policy and Procedure elements
Regarding ISO / IEC 17799, IT Herriard Security still lack of some elements, which are: Access control (Business requirements of access control,
User access management &
responsibilities, System and application access control
);
Asset management (Responsibility for assets, Information classification &Media
handling)
Cryptography (Cryptographic controls);
Human resources security (Prior to employment,
During employment,
Termination and
change of employment
);
Physical and environmental security (Secure areas &
ICT equipment
);
Communications security (Network security management & Information transfer
);
Systems acquisition, development and maintenance (Security requirements of
information systems, Security in development and support processes, Test data)
Operations security (Operational procedures and responsibilities,
Protection from
malware,
Backup,
Logging and monitoring,
Control of operational software,
Technical
vulnerability management &
Information systems audit considerations);
Information security incident management;
Information security aspects of business continuity management (Information security
continuity,
Redundancies)
TASK C3: Ensure Confidentiality
To ensure confidentiality of staff’s personal files or works, some actions should be taken:
1. Server Socket Layer (SSL)
is recommended to be used, which is the standard security
technology for establishing an encrypted link between a web server and a browser. This link
ensures that all data passed between the web server and browsers remain private and integral.
SSL is an industry standard and is used by millions of websites in the protection of their online
transactions with their customers or clients. Normally, data sent between browsers and web servers is sent in plain text, which is vulnerable
to eavesdropping. If an attacker is able to intercept all data being sent between a browser and a
web server they can see and use that information. SSL allows sensitive information such as credit
card numbers, social security numbers, and login credentials to be transmitted securely.
2. Ensuring Confidentiality Actions
Password protected documents
- You can protect a sensitive or confidential document by using
a password to help prevent others from changing or even opening your document. You can help
prevent unauthorized users from opening a document or from modifying a document even if they
have permission to open it.
Secure Wireless Transmissions
- It refers to the transfer of data such as confidential or
proprietary information over a secure channel. Many secure transmission methods require a type
of encryption
. The most common email encryption is called PKI. TASK D: Develop Components
Consider Herriard Pty LTD’s “Sales Processing” system. They want to automate the sales
process and develop a system/software to do that.
As an Analyst, define and draw the components which will represent the development project
specification.
Task E: Prepare action diagrams
Draw an activity diagram for Herriard Pty LTD’s “Sales Processing” system
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Task F: Interaction diagram
To develop an interaction (collaboration) diagram which form of Interaction will you use?
A collaboration diagram, also called a communication diagram or interaction diagram, is an
illustration of the relationships and interactions among software objects in the Unified Modelling
Language (UML). It is used to show how objects interact to perform the behaviour of a particular
use case, or a part of a use case. Along with sequence diagrams, collaboration are used by
designers to define and clarify the roles of the objects that perform a particular flow of events of
a use case. They are the primary source of information used to determining class responsibilities
and interfaces. A Collaboration between objects working together provides emergent desirable functionalities in
Object-Oriented systems. Each object (responsibility) partially supports emergent functionalities.
Objects are able to produce (usable) high-level functionalities by working together. Objects
collaborate by communicating (passing messages) with one another in order to work together.
https://www.visual-paradigm.com/guide/uml-unified-modeling-language/what-is-uml-collaboration-diagram/
A collection of messages is known as an interaction and a collection of stimuli is known as an
interaction instance. An interaction is said to occur within the context of a collaboration because
an interaction is a subset of the contents of a collaboration; and an interaction instance is said to
occur within the context of a collaboration instance because an interaction instance is a subset of
the contents of a collaboration instance. The ensemble of instances and links that collaborate
form a collaboration instance set, and the stimuli they exchange form an interaction instance set.
There are two
forms used to show an interaction:
An interaction has a generic
and instance
form. A generic-form and
instance-form sequence
diagram
depict an interaction among classifiers or instances that conform to the classifier roles
in the interaction, messages or stimuli that conform to the messages in the interaction, and
additional classifiers or instances as necessary. A generic-form sequence diagram
describes
two or more possible sequences of interaction, but an instance-from sequence diagram
describes one actual sequence of interaction.
Generic-form interaction
A generic-form interaction
describes two or more possible sequences of interaction. It shows
two or more possible sequences of message or stimuli exchanges using repetition
and
conditionality
:
Repetition
Involves repeating a set of messages or stimuli for example, repeating the set of messages or
stimuli in steps 6a and 6b of the interaction and collaboration description to generate the project-
status report.
Conditionality
Involves communicating one set of messages or stimuli rather than another set of messages or
stimuli for example, conditionally performing step 5 or 6 of the interaction and collaboration
description to generate the project-status report.
Instance-form interaction
An instance-form interaction
, also called an individual behaviour sequence or specific
scenario, describes one actual sequences of interaction consistent with its generic-form
interaction. It shows one actual sequence of message or stimuli exchanges without any repetition
or conditionality. For example, generating a specific project-status report that contains exactly
three workers, each with two units of work and one work product. Rather than showing
repetition and conditionality as in a generic-form interaction, instance-form interactions show the
actual set of messages or stimuli that are repeated and the set of messages or stimuli that are
communicated for specific conditions.
Reference:
1. Sinan Si Alhir, Guide to Applying the UML. Page 278, from
https://books.google.com.au/books?id=efJG8-pRph0C&pg=PA278&lpg=PA278&dq=Generic-
form+interaction&source=bl&ots=D7cvXWApIG&sig=ACfU3U0-AjMT_IBUHmVzMDKQ2fbT85mBug&hl=zh-
TW&sa=X&ved=2ahUKEwju07yx4I3kAhVGWisKHQpjDLoQ6AEwDHoECAkQAQ#v=onepage&q=Generic-
form%20interaction&f=false
2. eTutorials.org, 6.3 Interactions and Collaborations
, from
http://etutorials.org/Programming/Learning+uml/Part+III+Behavioral+Modeling/
Chapter+6.+Sequence+and+Collaboration+Diagrams/6.3+Interactions+and+Collaborations/
Task G: Review
What are the types of testing you will do for this software development? What are the initial
test criteria will you recommend for the system?
1. There are several types of testing for the software development, such as:
Unit Testing - a level of software testing where individual units/ components of a
software are tested. The purpose is to validate that each unit of the software performs as
designed. A unit is the smallest testable part of any software. It usually has one or a few
inputs and usually a single output.
Functional Testing
-
a type of software testing whereby the system is tested against the
functional requirements/specifications. Functions (or features) are tested by feeding them
input and examining the output. Functional testing ensures that the requirements are
properly satisfied by the application.
Integration Testing
- a level of software testing where individual units are combined and
tested as a group. The purpose of this level of testing is to expose faults in the interaction
between integrated units. Test drivers and test stubs are used to assist in Integration
Testing.
User Acceptance Testing (UAT)
- also known as beta or end-user testing, is defined as
testing the software by the user or client to determine whether it can be accepted or not.
This is the final testing performed once the functional, system and regression testing are
completed.
System Testing
- a level of software testing where a complete and integrated software is
tested. The purpose of this test is to evaluate the system's compliance with the specified
requirements. Definition by ISTQB.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Sanity Testing
- the subset of regression testing and it is performed when we do not have
enough time for doing testing. Sanity testing is the surface level testing where QA
engineer verifies that all the menus, functions, commands available in the product and
project are working fine.
Smoke Testing
- also known as “Build Verification Testing”, is a type of software
testing that comprises of a non-exhaustive set of tests that aim at ensuring that the most
important functions work. The result of this testing is used to decide if a build is stable
enough to proceed with further testing.
Interface Testing
- being defined as a software testing type which verifies whether the
communication between two different software systems is done correctly. A connection
that integrates two components is called interface.
Regression Testing
– being defined as a type of software testing to confirm that a recent
program or code change has not adversely affected existing features. Regression Testing
is nothing but a full or partial selection of already executed test cases which are re-
executed to ensure existing functionalities work fine.
2. In this case, I will recommend the Functional Testing
, Integrated Testing
or User
Acceptance Testing
.
Functional Testing typically involves 6 steps:
1. The identification of functions that the software is expected to perform
2. The creation of input data based on the function's specifications
3. The determination of output based on the function's specifications
4. The execution of the test case
5. The comparison of actual and expected outputs
6. To check whether the application works as per the customer need.
Integrated Testing
There are some approaches to do the integrated testing:
1. Big Bang is an approach to Integration Testing where all or most of the units are combined together and tested at one go. This approach is taken when the testing team receives the entire software in a bundle. So what is the difference between Big Bang Integration Testing and System
Testing? Well, the former tests only the interactions between the units while the latter tests the entire system.
2. Top Down is an approach to Integration Testing where top-level units are tested first and lower level units are tested step by step after that. This approach is taken when top-down development approach is followed. Test Stubs are needed to simulate lower level units which may not be available during the initial phases.
3. Bottom Up is an approach to Integration Testing where bottom level units are tested first and upper-level units step by step after that. This approach is taken when bottom-up development
approach is followed. Test Drivers are needed to simulate higher level units which may not be available during the initial phases.
4. Sandwich/Hybrid is an approach to Integration Testing which is a combination of Top Down and Bottom Up approaches.
User Acceptance Testing (UAT)
There are 5 steps for UAT
:
1. Planning
2. Execution
3. Documentation
4. Evaluation
5. Reporting & Lessons Learned
As with almost any technical process, software testing has a prescribed order in which things
should be done. Different levels of testing are used in the testing process; each level of testing
aims to test different aspects of the system. The following is lists of software testing categories
arranged in sequentially organize.
The initial test criteria
or entry criteria for system testing is listed below:
Unit Testing should be finished.
Integration of modules should be fully integrated.
As per the specification document software development is completed.
Testing environment is available for testing (similar to Staging environment)
Reference:
http://www.softwaretestingclass.com/system-testing-what-why-how/
Task H: Multiple choice Questions:
1) Which of the following is not a goal of environmental science? a) learn how nature works b) learn how the environment affects us c) learn how to deal with environmental problems d) learn how to live more sustainably e) learn how to persuade politicians to enact sustainability legislation 2) Ecology is the study of a) plants. b) animals. c) global climate change. d) relationships between organisms and their environment. e) the chemistry of living things. 3) Which of the following uses alternative renewable energy? a) Electricity from coal mining b) The Energizer Bunny c) Electricity from photovoltaic (PV) cells d) Electricity from heat and steam from nuclear reactors
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
4) How much trash does the average person send to the landfill annually? a) 500 pounds b) 700 pounds c) 1,500 pounds d) 1 million pounds 5) Recycling one aluminum can save enough money to run a personal computer for: a) 3 seconds b) 30 minutes c) 3 hours d) 3 years 6) Substitute a compact fluorescent light for a traditional bulb and it would keep ____ of CO2
out of the atmosphere over the life of the bulb. a) 100 tons b) Half a ton c) 100 pounds d) 1 pound 7) How much paper does the average government employee use each year? a) 10,000 pounds b) 4 tons c) 100,000 pounds d) 1,000 pounds 8) Which of the following explain Statutory Requirements a) a system followed by an organisation to meet its administrative policies and procedures b) helps an organization to improve how it conducts its functions and activities c) to reduce overall costs, provide more efficient use of resources d) None of above 9) What are the benefits of a Security Framework? a) Consistent b) Robust c) Maintained d) All of above 10) Which of the following is not integrity of Database System a) Auditability, identifying the element modifier. b) Physical problems. c) User authentication, identifying data users. d) None of above 11) Which security measures are not used to manage security threats?
a) Defragment b) Firewall c) Security Policy d) Cryptography 12) From information below what is a Total Control Cost (TCC)? Annual expected savings: 650 Combined control effectiveness: 50% Annual covered loss: 850 a) 1500 b) 850 c) 650 d) 100 13) Which of the following is a types of security policies a) Governing Policy b) Technical Policy c) Job Aids / Guidelines d) All of above 14) What are the short term technology solutions to achieve reduction of power consumption? a) LCD Monitor instead of CRT Monitor b) replacing thin client with desktop PCs c) Use desktop scanner rather than multifunction device d) Replacing SSD with Mechanical hard drive 15) Which statement is true, if an organisation seeking to comply with ISO 14001 they need to: a) stop all forms of pollution b) recycle all waste products c) have procedures for conducting audits d) provide training to all staff 16) Base on following information calculate office power consumption. 5 Servers with 1300w 1 Server monitor with 15w 30 PCs with 650w 12 External hard drive for Pcs with 5w 45 PCs monitor with 22w a) 19,500 watts b) 6,500 watts c) 27,065 watts d) 26,000 watts
17) Which of the following cannot use as key performance indicators(KPI) on sustainability
performance a) kg CO2 emitted per floor area occupied in permanent buildings b) percentage of timber used in construction from well-managed, sustainable sources c) reduction of quantity (in 1000's kg) of ozone depleting gases used in air-conditioning
equipment d) All of above can use as KPI 18) Which of the following not include in documentation standards a) organisational and project policy b) sign-off c) distribution d) revision e) history 19) Good target for sustainability policy implementation method is including of the following
except: a) dates for implementation and target dates for milestones b) deliverables: what, where and when, including progress reports standards and performance
including key performance indicators c) review dates d) submission dates 20) How can the carbon savings be generated? a) reducing emissions intensity b) reducing number of staff c) reducing vehicle used d) increasing hardcopy documenting
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help