BSc (Hons) in Information Technology – Year 3

Tutorial 3

IE3072 – Information Security Policy and Management3

Semester 2, 2023

1. What is meant by personally identifiable information (PII)? Explain with examples.

2. Identify the consequences of a security breach associated with PII.

3. Assume that you are required to classify PII. Identify the factors you have to consider in your
classification.

4.

a. Assume that a government bank in US is in compliance with NIST 800-53. Identify

information assets for low impact, moderate impact, and high impact categories.
b. The Core banking system of bank is high watermarked. Explain the approach the security
experts are required to take when categorizing a system.

5. An electronic business has applied for ISO 27001 compliance. Identify two internal threats and
two external treats to information security.

6. ISO 27001 describes that assets can be broken down into the following categories:
 Hardware (IT servers, network equipment, computers, laptops, etc.);
 Software;
 Information (paper and digital records);
 People (employees, contractors, volunteers and anyone who knows confidential
information);
 Services (provided by the organisation or third parties); and
 Locations (the organisation’s premises, remote employees’ offices, etc.)

a. Assume that a software development company is required to create an asset inventory.

Identify a minimum of two assets to that belongs in above categories.
b. Identify the owners of each of these assets you have identified above.
c. Select one of the asset categories and identify potential threats and vulnerabilities that
could pose risks to those assets.

7. Groupe Renault is a French multinational automobile manufacturer established in 1899. The

company produces a range of cars and vans, and in the past has manufactured trucks, tractors,
tanks, buses/coaches, aircraft and aircraft engines and autorail vehicles. The company has
started its operations in India. Assume that the organization is required to perform the customer
registration process.
a. Draw a simple flow chart to represent the activity flow with respect to information
processing.
b. Identify the stakeholders involved in this process.

1
 BSc (Hons) in Information Technology – Year 3
Tutorial 3

IE3072 – Information Security Policy and Management3

Semester 2, 2023
c. Identify the data required to complete the activity you have mentioned above.
d. Out of the activities you have identified above in part a), identify the activity/ process
that involves high risk. Justify your answer.

8. Assume that a Pharmacy in US is in compliance with HIPAA security rules. Identify and classify
the data according to the following classification;

Restricted/confidential data Internal data Public data

9. Assume that in order to study the post Covid symptoms and recovery management, the Medical
Research Institute has gathered your data as a recent patient recovered from the illness.
a. According to PERSONAL DATA PROTECTION ACT, No. 9 OF 2022, describe your rights as a
data subject according to the given scenario.
b. As the controller of the processor of information how would the Medical Research
Institute maintain transparency in its information processing activities.

10. Differentiate between false positive and false negative when it comes to data classification.