Tuesday 30 April 2019 2:00 pm – 4:00 pm (Duration: 2 hours)
DEGREES OF MSc, MSci, MEng, BEng, BSc, MA and MA (Social Sciences)
Enterprise Cyber Security (M)
(Answer ALL questions)
Copyright By PowCoder代写 加微信 powcoder
This examination paper is worth a total of 60 marks
The use of a calculator is not permitted in this examination
INSTRUCTIONS TO INVIGILATORS
Please collect all exam question papers and exam
answer scripts and retain for school to collect. Candidates must not remove exam question papers.
Brooks Industries is a large enterprise and has several legacy systems that effectively manage employee records. These legacy systems are maintained by a group of technical staff that are nearing retirement. These systems are used by a number of employees for many different tasks. The technical team have evolved some aspects of these systems, but much of the associated documentation has been lost and relevant staff have already retired. The systems contain personal data relating to employees, including bank details and medical information.
The management team are concerned about potential security and data protection issues given the age and importance of the legacy systems.
The management team are considering evolving the legacy systems to address potential security and data protection issues.
Devise a plan with FOUR clear steps to evolve the legacy systems in the given context.
The management team has been considering the options for evolving the legacy systems. There are some members of the management team that are arguing for development of replacement systems deployed using Infrastructure as a Service (IaaS). There are other members of the management team that favour utilising an established and specialised Managed Service Provider (MSP). There are members of the management team that are aware of other organisations using an MSP that specialises in employee record management and also employs many university graduates.
Argue for the optimal deployment by comparing and contrasting both options in the given context.
is headquartered in the European Union with offices across Europe. The company has opened its first office in the United States of Ruritania. The company plans on transferring some employee personal data out of the European Union to systems in the United States of Ruritania.
The management team are concerned about the potential legal issues in transferring data outside the European Union to the United States of Ruritania. The technical team state there is no concern as they have determined that United States of Ruritania has adequate levels of data protection comparable to the European Union.
Argue the accuracy of the assessment by the technical team in the given context.
Summer Diet 1 Continued Overleaf/
Life (SML) sells life insurance policies to individuals across Europe. The organisation offers monthly discounts on insurance premiums for those that enroll in ActivSystem. The system rewards customers that lead active lifestyles with discounts on monthly premiums. The ActivSystem comprises of a web portal and smartwatch to monitor the activity of customers.
The organisation requires customers to wear a smartwatch and consent via the web portal to the company collecting time and location data as well as activity data, such as footsteps taken. The organisation states the data is not encrypted, stored for five years and will only be used to determine calories burned per day. The entire data collection and processing process has not been documented, but the company is considering performing a risk analysis and reviewing relevant policies. SML customers can observe activity data on the web portal with the company expected to add features such as correcting data, data export and data deletion in time.
Data analysts within SML have determined that time and location data from customer smartwatches can also be used to determine the venues they visit. Consequently, the company has decided that discounts will be reduced for those customers that visit fast food restaurants. The analysts have also determined that the data could be sold to various companies to offset the discounts offered to customers.
The company are yet to appoint a data protection officer and the management team are concerned about some of the design decisions from the perspective of data protection.
Critique the ActivSystem from the perspective of FOUR principles of the General Data Protection Regulations (GDPR).
The developers of ActivSystem are keen to consider and discuss potential threats to the web portal component with various company stakeholders. SML customers are expected to access the system using their web browser and login with their personal email address and password. SML customers can update address details and can also use the web portal to purchase more sophisticated smartwatches.
Evaluate the web portal using an appropriate framework for thinking, discussing and classifying common threats.
Summer Diet 2 Continued Overleaf/
The management team of Mauchly Hospital have been reviewing the expense in the back-up of medical records associated with patients. The medical records largely comprise of multiple standard forms and letters for each individual patient. Consequently, multiple forms and letters have small changes between them. A typical example is that of an appointment letter where only the address and name are altered for each patient.
Mauchly Hospital require a more efficient approach to storage of back-up medical records for patients. The current back-up solution maintains a complete duplicate for each patient. The management want to make efficient use of infrastructure and avoid storage of redundant data and reduce the flow of data over their internal network.
Devise and describe an appropriate solution that reduces redundant data in the given context.
The management team are concerned about threats to patient privacy that may arise from changes to internal back-up infrastructure.
Identify a potential attack that may compromise patient privacy for the proposed solution in (a) and argue for an appropriate solution to the attack.
The management team are concerned that any sophisticated solution to reducing redundant data may hamper the organisation to comply with aspects of data protection and privacy. They are particularly concerned about the right of an individual to have their data deleted.
Outline how the proposed solution in (a) may be perceived as in conflict with the right of data subjects to be forgotten. Argue how the solution would not conflict with the right to be forgotten.
Summer Diet 3 /END
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com