7CCSMSEM
Security Management
Tutorial Week 8 (Sketch of Solutions)
Recall GANT from previous tutorials:
Question 1. The officers of GANT have decided that they need to establish a better means for information security. They are convinced they need to buy security products to achieve that (e.g. anti-virus). However, they seem to think that information security can be achieved just by using these products. What other types of security controls you would suggest GANT should look at? For each type, give one example.
In addition to technical security controls, there are also physical and procedural (or social) security controls. Physical controls rely on the presence, or otherwise on physical limitations, to the activities that a criminal or other unauthorised person might wish to carry out. An example is secure deletion. Procedural controls are those controls that cover the rules, regulations and policies that an organisation puts in place to help reduce the risk of issues arising. An example is a Clear Screen and Desk Policy.
Question 2. GANT has recently acquired a new computer to store the digital data they hold about members and Toad populations. As a result, they are going to decommission the previous computer they are using. They would like to also make sure that the data in the computer is deleted. Discuss at least two methods you could use for that?
One method consists of overwriting the physical media several times. Another method is to destroy the physical media. For more info about exactly how to do that in the most effective way together with other methods see the Extra Reading provided in KEAT (Secure Data Deletion).
Question 3. Due to a recent breach, GANT are more and more concerned about their security, and given your explanations in Question 1, they are very aware that procedural aspects may play a role to make GANT more secure. As such, they have come up with the brilliant idea to start monitoring all actions of GANT employees so that they could see whether they follow the procedures. They approached you to give advice on how to do this. What would be your advice?
First of all, GANT need to consider that there are applicable laws to consider here, which means that they cannot just do whatever they think it is needed to monitor their employees, e.g., the Data Protection Act (DPA). Second, GANT should consider whether they actually need to monitor all actions of their employees, or they could have similar processes to check for compliance. Finally, they should consider what impact this introduction may
have on the actual GANT business objectives, e.g., is this preventing employees from carrying out their job adequately or making it more cumbersome?
Question 4. GANT is considering using a cloud provider to increase availability. What is cloud computing? Why is it useful? What are the security risks if the organisation relies on cloud computing for their infrastructure?
Cloud computing is the practice of using a network of remote serves hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer.
It is useful as it allows a small company to gain access to powerful computers that would normally be out of reach.
There are several security risks. For instance, cloud providers can be hacked, and the information may be leaked publicly. This is an example of sharing a risk, because, while the cloud provider is also liable, the data leaked can be embarrassing to the organisation. Also, the data can be deleted/lost if the cloud provider suffers a crash and does not keep regular backups. In addition, may not be appropriately deleted or deleted when it should. There is no guarantee data will be completely removed from the cloud infrastructure when the client decides to delete data from the cloud.