ACC0022 Computer Control Audit and Security

Exam Preparation Current Session 1 2017

Exam structure
 This exam is worth 40% of your final mark.
 To pass this unit, you must achieve a mark of at least 50% in the final examination and at least 50%
from the total of all items of assessment.
 This Exam structure consists of 5 parts: A, B, C, D and E
 Part A: consists of 10 multiple choice questions worth a total of 10 marks (1 mark each.
 Part B: consists of 5 short answer questions worth a total of 15 marks (3 marks each)
 Part C: consists of 5 short answer questions worth a total of 20 marks (4 marks each)
 Part D: consists of 7 short descriptive answer questions worth a total of 35 marks (5 marks each)
 Part E: consists of 1(one) security analysis related question worth a total of 20 marks
 Answer Part A, Multiple Choice questions in the exam book (circle the answer you think is correct)
 Answer all other parts (Parts B, C, D and E) in the answer book provided.
 If a question asks for a number of points, make each new point on a new line and number the
points.

Exam structure: Part B

 Part B: consists of 5 short answer questions worth a total of 15 marks (3 marks each)
 Answer these questions in the answer book provided.
 A question worth 3 marks is expected to have 3 points.
 Such questions will clearly have 3 points requested.

 Example; QUESTION
 Describe hash functions, and provide two purposes which they can be used for.
 Answer:
 Hash functions are mathematical algorithms that generate a message summary or digest, and
are sometimes called a fingerprint. (1 mark)
 They are used to confirm the identity (1 mark) of a specific message and
 to confirm that there have not been any changes (1 mark) to the content.

Exam structure: Part C

 Part C: consists of 5 short answer questions worth a total of 20 marks (4 marks each)
 Answer these questions in the answer book provided.
 A question worth 4 marks is expected to have 4 points. Some of these questions may warrant a diagram to
display information such as structural aspects of networks or processes.
 In such contexts you are encouraged to present a diagram, if it helps to convey your answer, to
ensure the full marks.
 Example; QUESTION
 Describe symmetric encryption and asymmetric encryption. Specify how these are similar and how they
differ.
 Answer:
 Symmetric encryption – same cipher used to encrypt and decrypt. So only a single encryption key exists
 Asymmetric encryption – different cipher used to encrypt and decrypt. So there is an encryption key and
a different decryption key.
 See book for diagram
 Similarities- once a plaintext file has been encrypted, it is protected because it is encoded into a format
that cannot be read by others, and must be decrypted to be understood.
 Difference – symmetric requires same key to be kept secret/ secure by each end of the process.
Asymmetric provides the encryption key to public domain so that anyone can encrypt...but only the
receiver holds the key to decrypt.

Exam structure: Part D

 Part D: consists of 7 description questions worth a total of 35 marks (5 marks each)
  Answer these questions in the answer book provided.
 A question worth 5 marks is expected to have 5 points (including diagram if used).
 The use of a diagram is recommended where relevant.
 Example; QUESTION
 Describe following types of entities in a base model Role Based Access Control (RBAC) system. A
diagram is needed for maximum 1 mark.
 User.
 Role.
 Permission.
 Session.
 Answer:
 User – individual person with
access to the computer systems and (RH)
holds a unique logon ID. Hier
Role ch Ope-
ar y atio
r
 Role- specified job function within ns
the organisation, with associated (UA) ( A)
authority and responsibilities that Assignm
User Assignm
P Permission
Use Rol Permissio
are conferred on this role and so ent ent
rs es
onto anyone who holds this role. ns
 Permission – the aspects of user_sessi session ole
ons _r s
approval to read and/or modify Objec
objects (this is access rights and ts
privileges) Sessio
 Session –mapping between a user ns
and an activated subset of roles to
which the user is assigned. Figure 4.8 (B) RBAC
models
Exam structure: Part E
 Part E: consists of 1 security analysis related question worth a total of 20 marks
 Answer this question in the answer book provided.
 Example; QUESTION
 As part of a formal risk assessment of the main file server for a small legal firm, you have identified the
asset “integrity of the accounting records on the server” and the threat “financial fraud by an employee,
disguised by altering the accounting records.”
 Suggest reasonable values for the items (i.e., Likelihood, Consequence and Level of Risk) in the
risk register for this asset and threat, and provide justification for your choices.
 Recommend 3 (three) suitable specific controls that could reduce the risk. Indicate which you
believe would be most cost effective.
 Answer:
 Possible values for the risk register for this asset and threat are:
Asset Threat/ Existing Likelihood Consequence Level of
Vulnerability Controls Risk
integrity of the Financial fraud by employee, monthly Possible Moderate High
accounting disguised account
records on the by altering the accounting audit
server records

Justification:
The chance of insider fraud can be very hard to predict, but is clearly possible. Depending on how long it takes for
the fraud to be identified, there could be significant impact on the organizations finances.
Assuming there is a regular monthly audit check of the firm’s cash flow, it is likely the fraud will be detected
relatively quickly, which suggests a moderate consequence rating. Again changing these assumptions will change
the ratings.
Recommend Controls:
 To manage the risk to "integrity of the accounting records on the server" from "financial fraud by an
employee, disguised by altering the accounting records ", some suitable specific controls from Table 15.3
could include: Separation of Duties, Access Control Supervision and Review, Audit Monitoring, Analysis,
and Reporting, User Identification and Authentication, and Personnel Screening.
Cost-effective Controls:
 the most cost-effective controls are likely to include Separation of Duties to ensure that significant
financial transactions must be authorized by multiple staff, along with Access Control Supervision and
Review to help detect fraud should it occur.

Text Book Questions

The exam uses the text book questions including end of the chapters review questions, or variations of them (as per
the study guide).
 Please follow the exam hints available on MySCU notice board for the chapters and content details for
EXAM preparation.
 The best resource students have are the recorded collaborate sessions as I have tended to emphasise slides
of interest throughout the semester.

Powerpoint Slides
 As far as the text book material is concerned, if it was not covered in the PowerPoint slides then it is less
likely that it will be in the exam.
 Refer to the previous slide on Collaborate Sessions.