微信客服:xiaoxionga100
微信客服:ITCS521
INFO5301-INFO5301代写-Assignment 1
时间:2023-03-17
INFO5301 – S1, 2023 Assignment 1
Information Security Management
Instructions:
This is an individual assignment. This assignment has 25 questions in 3 sections. Answer
all questions.
Assignment submission due date is 20th March 2023, 17:00 Hrs (AEDT). After the due date/-
time, the standard late penalty will apply.
Please write answers in the provided answer template. Please do not copy questions to the
answer document.
After answering ALL questions,
(i) name the file with the convention.docx,
(ii) convert the answer document to a PDF, and
(iii) upload it to this Canvas assignment.
Section 1
UHealth is a health insurance provider based in Australia. Following several incidents re-
lated to the security and privacy of some insurance providers, the Information Security Man-
agement arranged a meeting with the staff to discuss further steps to improve the security of
data management in the company. Below you can find summarized version of the conver-
sation at this meeting. In this conversation, you can find several bold and italic sentences
which highlight some actions taken, suggestions or arguments presented to improve the
information security management process in the company.
Carefully read and analyse those actions, suggestions or arguments in information secu-
rity management perspective. Then, provide a short answer (up to 100 words max.) with
your reasoning for agreement or disagreement.
Note: Please clearly state that you "Agree" or "Disagree" with the statement, in the first line
of your answer. [0.5 marks each 5 marks in total]
[Meeting starts here]
(Location: Company main meeting room
Several executives and representatives from different departments have gathered to discuss ISM issues
1
INFO5301 – S1, 2023 Information Security Management
and further improvements. These representatives include CISO (Chief information security officer),
Network security engineers, Data analysts, HR officer etc.)
James (CISO): Hello everyone, I called this meeting to discuss further improvements we
can make to ensure information security in our company because we observed many of our
competitors faced security issues, especially with user data. Despite the busy schedule at
the start of the year, (Q1) I have invited representatives from key departments of the com-
pany to discuss current issues with information security and present further suggestions to
mitigate them.
Question 1
Do you Agree or Disagree with James’ action? Explain why?
Mike (Network security engineer): Thanks James for inviting us. If I start from network
security, we should secure the data transmission between our local branches and the main
server in Sydney. For that we have (Q2) already deployed advanced data encryption algo-
rithms in data transmission and we think such encryption is completely enough to have a
high level of confidentiality for the data.
Question 2
Do you Agree or Disagree with Mike’s assessment of data confidentiality? Explain why?
(James continues speaking)
James (CISO): In addition to these network-level optimizations, are there any other addi-
tional modifications we can do for our technical system?
Lily (Security engineer): If we are to increase the security of the user data, properly authen-
ticating our consumers in our mobile app is important. (Q3) Right now, in our mobile app,
users need to provide a password with a minimum length of 8 characters to log in. I think
we should increase the minimum length up to 12 characters and introduce more complexity.
Anyway, (Q4) if we can introduce fingerprint or face detection for authentication, we can
completely get rid of password protection. This will make it easy for everyone to use the
app, especially old people who cannot remember lengthy passwords.
Question 3
Do you Agree or Disagree with Lily’s first idea about changing the minimum length of the
password? Explain why?
Question 4
Do you Agree or Disagree with Lily’s second idea for complete elimination of password
protection and the introduction of fingerprint or face detection? Explain why?
Information Security Management Page 2 of 10
INFO5301 – S1, 2023 Information Security Management
Ann (Deputy CISO): Hi James, apart from these security controls that the team discussed so
far, considering recent security incidents, (Q5) Should not we have a revision to our security
policies? I know we made a major revision 6 months ago. But I feel we can stress out this
requirement in the next board meeting.
James (CISO): Hmm, I ....................... because .......................
Question 5
Do you think James would Agree or Disagree with Anil’s idea and why?
(James continues speaking)
James (CISO): I would like to know some suggestions from Andriana (Head of HR) regard-
ing the awareness program about the endpoint protection system we introduced last month.
It is important that all our staff members are aware of how to interact with it.
Andriana (Head of HR): Yes James, we have completed the awareness program and the IT
security team collaborated with us. (Q6) However, a few interns who joined last week could
not participate in the program. Since it is only a few people, we postponed their awareness
program by two weeks, as we have to prioritize another staff recruitment program.
James (CISO): I................................with this action because...............................
Question 6
Given that HR has other priorities, do you think James would Agree or Disagree with An-
driana’s action and why?
(James continues speaking
James (CISO): Another critical aspect I wanted to discuss with you is our current security
model. Are there any suggestions for that?
Fiona (Security analyst): Since (Q7) we are commercial oriented, we should be more con-
cerned about who can change the information than who can read it.
Question 7
Do you Agree or Disagree with Fiona’s idea and why?
(James continues speaking) James (CISO): In addition to this, are there any other suggestions?
Lily (Security engineer): I heard that the (Q8) company is going to deploy the Clark-Wilson
Information Security Management Page 3 of 10
INFO5301 – S1, 2023 Information Security Management
model in near future. With that model, I believe most of our employees will still get access
to a wide range of software and web portals we have already deployed, especially those
that interact with user data. Those applications have made the employee tasks much eas-
ier.
Fiona (Security analyst): I............................... because................................
Question 8 Do you think Fiona would Agree or Disagree with Lily’s idea and why?
James (CISO): Thank you very much Fiona for your explanation. (Q9) I also have a concern
about our DPI (Deep Packet Inspection) based IDS (Intrusion Detection System). I think
this is really important to detect any anomaly traffic to our system and to protect user data.
But with data encryption protocols can we still use it? Mike (Network security engineer),
you are the expert on these types of systems. Do you think it is useful to keep running this
IDS with DPI?
Mike (Network security engineer): I .......................... because ................................
Question 9
Do you think Mike would Agree or Disagree with keep running the current IDS in the com-
pany network?
James (CISO): Thanks for the explanation, Mike. Before I conclude the discussion are there
any final thoughts?
Andriana (Head of HR): It was an interesting discussion and many thoughtful ideas came
out to protect our user’s data. However, (Q10) I think we don’t need to conduct an aware-
ness program to inform our staff about the security techniques we plan to add such as secu-
rity models? If we do so, there is a high risk that disclosed information security techniques
in our company might fall into adversarial hands.?
James (CISO): I ........................... because ...................................
Question 10
Do you think that James would Agree or Disagree with Andriana and why?
End of the conversation
Section 2
Select the most appropriate answer from given choices to the following question/statement.
Also, provide a short answer (up to 100 words max.) with your reasoning to select the
Information Security Management Page 4 of 10
INFO5301 – S1, 2023 Information Security Management
answer/statement. [0.5 marks each 5 marks in total]
Question 11
Which one of the following actions is not done under formal control?
(a) Create and terminate the rules or standards created
(b) Decide which technical tools to be deployed
(c) Establish De-militarized zones and firewalls to the enterprise network
(d) Create a well-structured information flow system within organization
(e) Come up with strategic decisions.
Question 12
Which statement best explains the reason for the fact that technical control is not enough in
Information Security Management?
(a) Many data breaches happen due to human error.
(b) Hackers can easily break the next-generation firewalls.
(c) Over-engineered technical systems add more complexity.
(d) Deploying AI-based solutions cost more money
(e) It is impossible to delete all virus in a system
Question 13
What is the correct order of the vulnerability threats that the following example cases belong
to?
(i) An insider of the organization alters the existing company records about sales income.
(ii) Inject new messages to the network impersonating a legitimate sender.
(iii) A virus program deletes all the data from a database
(iv) Sniffs encrypted packets by passive monitoring.
(a) Fabrication, Modification, Destruction, Interception
(b) Modification, Fabrication, Disclosure, Destruction
(c) Modification, Fabrication, Destruction, Interception
(d) Disclosure, Fabrication, Destruction, Interception
Information Security Management Page 5 of 10
INFO5301 – S1, 2023 Information Security Management
(e) Fabrication, Interception, Destruction, Disclosure
Question 14
Select the correct order of potential violation of basic principles of security for the following
cases
(i) Some sensitive details from over 100000 customer records are altered in a company
database.
(ii) A company CEO sends a letter to his employees only with the company letter head
and without the signing on it.
(iii) A person tries to impersonate a legitimate customer of retail delivery service through
their mobile app.
(a) Confidentiality, Integrity, Authentication
(b) Non-repudiation, Confidentiality, Integrity
(c) Integrity, Non-repudiation, Authentication
(d) Integrity, Confidentiality, Non-repudiation
(e) Integrity, Non-repudiation, Confidentiality
Question 15
Which one of the following is (are) not a modification attack?
(a) An adversary changes the encrypted traffic pattern over a communication network.
(b) An attacker adds forged login links/buttons to an organization’s website to collect user
authentication data
(c) An internal staff of an organization alter customer data in unauthorized manner.
(d) Software hackers modify a website/software of an organization which results in addi-
tional computational tasks.
(e) Insider from an organization induces faults in their database hard drives with malicious
intent.
Question 16
Interception occurs when
Information Security Management Page 6 of 10
INFO5301 – S1, 2023 Information Security Management
(a) Hardware, software, or the data is destroyed
(b) Data is made available or accessible to an unauthorized software
(c) An unauthorized person or application gains access to restricted computer resources
(d) Data is accessed and changed in an unauthorized manner
(e) Computer system becomes unavailable for use
Question 17
Which one of the following statements is(are) true about network system attacks?
(a) Attackers can get a complete control of ongoing communication and replace himself/her-
self with the sender or receiver.
(b) Attacks such as injecting overloaded network traffic making the systems unavailable to
the users can be easily identified.
(c) Eavesdroppers can intercept encrypted messages by passively monitoring the network
interfaces.
(d) (a) and (c)
(e) All the above
Question 18
Which one is an act of certification authorities (CA)?
(a) Collect public keys and proof of identities from different entities (person, websites, or-
ganizations etc.)
(b) Create certificate binding public keys of different entities.
(c) Share the CA’s public keys to decrypt the certificates of entities to get the corresponding
public key of an entity.
(d) Only (a) and (b)
(e) All the above
Question 19
Which of the following is True about Biba model?
(a) Biba model control access to the objects in an organization
Information Security Management Page 7 of 10
INFO5301 – S1, 2023 Information Security Management
(b) Person with a certain integrity level clearance cannot read the content from the same
integrity level.
(c) Person with lower integrity level clearance can read the content from higher integrity
levels.
(d) Integrity levels provided by the Biba model cannot be adjusted once they are defined.
(e) Biba model only allows modifying the data from a higher integrity level by a person
from a lower integrity level.
Question 20
Which of the following is True about the security model?
(a) BLP model focuses on who can change the data while Biba model focuses on who can
read the data
(b) Lattice model shows the primitive operations can be taken according to a given security
model
(c) According to BLP model L1 subject which dominates L2 object has the reading access.
(d) Clark-Wilson model assures users to invoke any transformation procedures.
(e) With the Clark-Wilson models, now the companies can safely reduce the cost of the
auditing system.
Section 3
Question 21
You have been consulted to develop a security model to ensure information flow integrity in
a newly formed financial institute. The company has categorised its staff and objects into the
following categories. Top Secret (TS), Secret (SC), Confidential (C), and Unclassified (UC) as
the security/integrity clearance levels with decreasing privileges. Financial (FIN), Executive
(EXE), Marketing (MAR) and Operational (OPR) as object categories.
The following Table explains integrity clearances for subjects and integrity classification for
objects in a company.
Subject Security Level Category
Top Executives TS FIN, EXE, OPR, MAR
Finance staff SC FIN, OPR
HR C OPR
Sales staff UC MAR, OPR
Operations staff UC OPR
Information Security Management Page 8 of 10
INFO5301 – S1, 2023 Information Security Management
Object Security Level Category
security_policy TS EXE, OPR
payroll_db SC FIN, OPR
employee_contract C OPR
bank_details C FIN
building_access_cards C OPR
employee_funds C OPR, FIN
product_details UC MAR
sales_logs UC OPR, MAR
If the company has decided to follow BLP (Bella Paduala Model) security model, draw the
access permission matrix that includes all subjects and objects listed above with Read (R)
and/or Write (W) permissions. [4 marks]
Question 22
Provide a short answer with your reasoning for agreement or disagreement with following
statement related to the developed BLP security model.[0.5 × 4 = 2 marks]
"Matti from Finance staff can only read the payroll information database"
"Anna who is working in HR division can update employ funds"
"John who recently joined to the operation staff can read Employ funds details"
Sara who is from the top level executive management can change at least the Security Policy.
Question 23
Based on recent security attacks on payroll DB, CISO decided to have a thorough investi-
gation of the attack taking support from the certified external security agency. The agency
requested to have access to read the following 2 details.
• Details of access permissions to the building
• Tables information of Payroll DB.
What is the (Security level, [Category levels]) with the lowest possible security level and
with the minimum number of need-to-know categories that can be assigned to the investi-
gators? Explain the reason for your selection [1 mark]
Question 24
With the growing impact of mass media, the top executives decided to establish a new media
unit to interact with public media. The Media unit needs to know the status of Sales and
Information Security Management Page 9 of 10
INFO5301 – S1, 2023 Information Security Management
Products, but they should not be able to modify any content. What is the (Security level,
[Category levels]) with the lowest possible security level and with the minimum number of
need-to-know categories that can be assigned to the media unit? Explain the reason for your
selection.[1 mark]
Question 25
Name two problems of current security model implementation and briefly explain how you
can overcome those problems. [2 marks]
Information Security Management Page 10 of 10
Information Security Management
Instructions:
This is an individual assignment. This assignment has 25 questions in 3 sections. Answer
all questions.
Assignment submission due date is 20th March 2023, 17:00 Hrs (AEDT). After the due date/-
time, the standard late penalty will apply.
Please write answers in the provided answer template. Please do not copy questions to the
answer document.
After answering ALL questions,
(i) name the file with the convention
(ii) convert the answer document to a PDF, and
(iii) upload it to this Canvas assignment.
Section 1
UHealth is a health insurance provider based in Australia. Following several incidents re-
lated to the security and privacy of some insurance providers, the Information Security Man-
agement arranged a meeting with the staff to discuss further steps to improve the security of
data management in the company. Below you can find summarized version of the conver-
sation at this meeting. In this conversation, you can find several bold and italic sentences
which highlight some actions taken, suggestions or arguments presented to improve the
information security management process in the company.
Carefully read and analyse those actions, suggestions or arguments in information secu-
rity management perspective. Then, provide a short answer (up to 100 words max.) with
your reasoning for agreement or disagreement.
Note: Please clearly state that you "Agree" or "Disagree" with the statement, in the first line
of your answer. [0.5 marks each 5 marks in total]
[Meeting starts here]
(Location: Company main meeting room
Several executives and representatives from different departments have gathered to discuss ISM issues
1
INFO5301 – S1, 2023 Information Security Management
and further improvements. These representatives include CISO (Chief information security officer),
Network security engineers, Data analysts, HR officer etc.)
James (CISO): Hello everyone, I called this meeting to discuss further improvements we
can make to ensure information security in our company because we observed many of our
competitors faced security issues, especially with user data. Despite the busy schedule at
the start of the year, (Q1) I have invited representatives from key departments of the com-
pany to discuss current issues with information security and present further suggestions to
mitigate them.
Question 1
Do you Agree or Disagree with James’ action? Explain why?
Mike (Network security engineer): Thanks James for inviting us. If I start from network
security, we should secure the data transmission between our local branches and the main
server in Sydney. For that we have (Q2) already deployed advanced data encryption algo-
rithms in data transmission and we think such encryption is completely enough to have a
high level of confidentiality for the data.
Question 2
Do you Agree or Disagree with Mike’s assessment of data confidentiality? Explain why?
(James continues speaking)
James (CISO): In addition to these network-level optimizations, are there any other addi-
tional modifications we can do for our technical system?
Lily (Security engineer): If we are to increase the security of the user data, properly authen-
ticating our consumers in our mobile app is important. (Q3) Right now, in our mobile app,
users need to provide a password with a minimum length of 8 characters to log in. I think
we should increase the minimum length up to 12 characters and introduce more complexity.
Anyway, (Q4) if we can introduce fingerprint or face detection for authentication, we can
completely get rid of password protection. This will make it easy for everyone to use the
app, especially old people who cannot remember lengthy passwords.
Question 3
Do you Agree or Disagree with Lily’s first idea about changing the minimum length of the
password? Explain why?
Question 4
Do you Agree or Disagree with Lily’s second idea for complete elimination of password
protection and the introduction of fingerprint or face detection? Explain why?
Information Security Management Page 2 of 10
INFO5301 – S1, 2023 Information Security Management
Ann (Deputy CISO): Hi James, apart from these security controls that the team discussed so
far, considering recent security incidents, (Q5) Should not we have a revision to our security
policies? I know we made a major revision 6 months ago. But I feel we can stress out this
requirement in the next board meeting.
James (CISO): Hmm, I ....................... because .......................
Question 5
Do you think James would Agree or Disagree with Anil’s idea and why?
(James continues speaking)
James (CISO): I would like to know some suggestions from Andriana (Head of HR) regard-
ing the awareness program about the endpoint protection system we introduced last month.
It is important that all our staff members are aware of how to interact with it.
Andriana (Head of HR): Yes James, we have completed the awareness program and the IT
security team collaborated with us. (Q6) However, a few interns who joined last week could
not participate in the program. Since it is only a few people, we postponed their awareness
program by two weeks, as we have to prioritize another staff recruitment program.
James (CISO): I................................with this action because...............................
Question 6
Given that HR has other priorities, do you think James would Agree or Disagree with An-
driana’s action and why?
(James continues speaking
James (CISO): Another critical aspect I wanted to discuss with you is our current security
model. Are there any suggestions for that?
Fiona (Security analyst): Since (Q7) we are commercial oriented, we should be more con-
cerned about who can change the information than who can read it.
Question 7
Do you Agree or Disagree with Fiona’s idea and why?
(James continues speaking) James (CISO): In addition to this, are there any other suggestions?
Lily (Security engineer): I heard that the (Q8) company is going to deploy the Clark-Wilson
Information Security Management Page 3 of 10
INFO5301 – S1, 2023 Information Security Management
model in near future. With that model, I believe most of our employees will still get access
to a wide range of software and web portals we have already deployed, especially those
that interact with user data. Those applications have made the employee tasks much eas-
ier.
Fiona (Security analyst): I............................... because................................
Question 8 Do you think Fiona would Agree or Disagree with Lily’s idea and why?
James (CISO): Thank you very much Fiona for your explanation. (Q9) I also have a concern
about our DPI (Deep Packet Inspection) based IDS (Intrusion Detection System). I think
this is really important to detect any anomaly traffic to our system and to protect user data.
But with data encryption protocols can we still use it? Mike (Network security engineer),
you are the expert on these types of systems. Do you think it is useful to keep running this
IDS with DPI?
Mike (Network security engineer): I .......................... because ................................
Question 9
Do you think Mike would Agree or Disagree with keep running the current IDS in the com-
pany network?
James (CISO): Thanks for the explanation, Mike. Before I conclude the discussion are there
any final thoughts?
Andriana (Head of HR): It was an interesting discussion and many thoughtful ideas came
out to protect our user’s data. However, (Q10) I think we don’t need to conduct an aware-
ness program to inform our staff about the security techniques we plan to add such as secu-
rity models? If we do so, there is a high risk that disclosed information security techniques
in our company might fall into adversarial hands.?
James (CISO): I ........................... because ...................................
Question 10
Do you think that James would Agree or Disagree with Andriana and why?
End of the conversation
Section 2
Select the most appropriate answer from given choices to the following question/statement.
Also, provide a short answer (up to 100 words max.) with your reasoning to select the
Information Security Management Page 4 of 10
INFO5301 – S1, 2023 Information Security Management
answer/statement. [0.5 marks each 5 marks in total]
Question 11
Which one of the following actions is not done under formal control?
(a) Create and terminate the rules or standards created
(b) Decide which technical tools to be deployed
(c) Establish De-militarized zones and firewalls to the enterprise network
(d) Create a well-structured information flow system within organization
(e) Come up with strategic decisions.
Question 12
Which statement best explains the reason for the fact that technical control is not enough in
Information Security Management?
(a) Many data breaches happen due to human error.
(b) Hackers can easily break the next-generation firewalls.
(c) Over-engineered technical systems add more complexity.
(d) Deploying AI-based solutions cost more money
(e) It is impossible to delete all virus in a system
Question 13
What is the correct order of the vulnerability threats that the following example cases belong
to?
(i) An insider of the organization alters the existing company records about sales income.
(ii) Inject new messages to the network impersonating a legitimate sender.
(iii) A virus program deletes all the data from a database
(iv) Sniffs encrypted packets by passive monitoring.
(a) Fabrication, Modification, Destruction, Interception
(b) Modification, Fabrication, Disclosure, Destruction
(c) Modification, Fabrication, Destruction, Interception
(d) Disclosure, Fabrication, Destruction, Interception
Information Security Management Page 5 of 10
INFO5301 – S1, 2023 Information Security Management
(e) Fabrication, Interception, Destruction, Disclosure
Question 14
Select the correct order of potential violation of basic principles of security for the following
cases
(i) Some sensitive details from over 100000 customer records are altered in a company
database.
(ii) A company CEO sends a letter to his employees only with the company letter head
and without the signing on it.
(iii) A person tries to impersonate a legitimate customer of retail delivery service through
their mobile app.
(a) Confidentiality, Integrity, Authentication
(b) Non-repudiation, Confidentiality, Integrity
(c) Integrity, Non-repudiation, Authentication
(d) Integrity, Confidentiality, Non-repudiation
(e) Integrity, Non-repudiation, Confidentiality
Question 15
Which one of the following is (are) not a modification attack?
(a) An adversary changes the encrypted traffic pattern over a communication network.
(b) An attacker adds forged login links/buttons to an organization’s website to collect user
authentication data
(c) An internal staff of an organization alter customer data in unauthorized manner.
(d) Software hackers modify a website/software of an organization which results in addi-
tional computational tasks.
(e) Insider from an organization induces faults in their database hard drives with malicious
intent.
Question 16
Interception occurs when
Information Security Management Page 6 of 10
INFO5301 – S1, 2023 Information Security Management
(a) Hardware, software, or the data is destroyed
(b) Data is made available or accessible to an unauthorized software
(c) An unauthorized person or application gains access to restricted computer resources
(d) Data is accessed and changed in an unauthorized manner
(e) Computer system becomes unavailable for use
Question 17
Which one of the following statements is(are) true about network system attacks?
(a) Attackers can get a complete control of ongoing communication and replace himself/her-
self with the sender or receiver.
(b) Attacks such as injecting overloaded network traffic making the systems unavailable to
the users can be easily identified.
(c) Eavesdroppers can intercept encrypted messages by passively monitoring the network
interfaces.
(d) (a) and (c)
(e) All the above
Question 18
Which one is an act of certification authorities (CA)?
(a) Collect public keys and proof of identities from different entities (person, websites, or-
ganizations etc.)
(b) Create certificate binding public keys of different entities.
(c) Share the CA’s public keys to decrypt the certificates of entities to get the corresponding
public key of an entity.
(d) Only (a) and (b)
(e) All the above
Question 19
Which of the following is True about Biba model?
(a) Biba model control access to the objects in an organization
Information Security Management Page 7 of 10
INFO5301 – S1, 2023 Information Security Management
(b) Person with a certain integrity level clearance cannot read the content from the same
integrity level.
(c) Person with lower integrity level clearance can read the content from higher integrity
levels.
(d) Integrity levels provided by the Biba model cannot be adjusted once they are defined.
(e) Biba model only allows modifying the data from a higher integrity level by a person
from a lower integrity level.
Question 20
Which of the following is True about the security model?
(a) BLP model focuses on who can change the data while Biba model focuses on who can
read the data
(b) Lattice model shows the primitive operations can be taken according to a given security
model
(c) According to BLP model L1 subject which dominates L2 object has the reading access.
(d) Clark-Wilson model assures users to invoke any transformation procedures.
(e) With the Clark-Wilson models, now the companies can safely reduce the cost of the
auditing system.
Section 3
Question 21
You have been consulted to develop a security model to ensure information flow integrity in
a newly formed financial institute. The company has categorised its staff and objects into the
following categories. Top Secret (TS), Secret (SC), Confidential (C), and Unclassified (UC) as
the security/integrity clearance levels with decreasing privileges. Financial (FIN), Executive
(EXE), Marketing (MAR) and Operational (OPR) as object categories.
The following Table explains integrity clearances for subjects and integrity classification for
objects in a company.
Subject Security Level Category
Top Executives TS FIN, EXE, OPR, MAR
Finance staff SC FIN, OPR
HR C OPR
Sales staff UC MAR, OPR
Operations staff UC OPR
Information Security Management Page 8 of 10
INFO5301 – S1, 2023 Information Security Management
Object Security Level Category
security_policy TS EXE, OPR
payroll_db SC FIN, OPR
employee_contract C OPR
bank_details C FIN
building_access_cards C OPR
employee_funds C OPR, FIN
product_details UC MAR
sales_logs UC OPR, MAR
If the company has decided to follow BLP (Bella Paduala Model) security model, draw the
access permission matrix that includes all subjects and objects listed above with Read (R)
and/or Write (W) permissions. [4 marks]
Question 22
Provide a short answer with your reasoning for agreement or disagreement with following
statement related to the developed BLP security model.[0.5 × 4 = 2 marks]
"Matti from Finance staff can only read the payroll information database"
"Anna who is working in HR division can update employ funds"
"John who recently joined to the operation staff can read Employ funds details"
Sara who is from the top level executive management can change at least the Security Policy.
Question 23
Based on recent security attacks on payroll DB, CISO decided to have a thorough investi-
gation of the attack taking support from the certified external security agency. The agency
requested to have access to read the following 2 details.
• Details of access permissions to the building
• Tables information of Payroll DB.
What is the (Security level, [Category levels]) with the lowest possible security level and
with the minimum number of need-to-know categories that can be assigned to the investi-
gators? Explain the reason for your selection [1 mark]
Question 24
With the growing impact of mass media, the top executives decided to establish a new media
unit to interact with public media. The Media unit needs to know the status of Sales and
Information Security Management Page 9 of 10
INFO5301 – S1, 2023 Information Security Management
Products, but they should not be able to modify any content. What is the (Security level,
[Category levels]) with the lowest possible security level and with the minimum number of
need-to-know categories that can be assigned to the media unit? Explain the reason for your
selection.[1 mark]
Question 25
Name two problems of current security model implementation and briefly explain how you
can overcome those problems. [2 marks]
Information Security Management Page 10 of 10
