Test: ICT Security Policies
All of these questions have appeared on past papers.
1 A large company has branches all over the UK and uses its ICT systems to manage
customer records and all its financial dealings. The company’s Data Officer has written a
security policy to protect the data held by the company.
Describe the use of user accounts and logs as a way of ensuring the confidentiality of
customer records. [2]
2 Explain two other factors which the company should take into account when designing
its security policy. [4]
3 A large travel agency has concerns about losing data. They are reviewing their disaster
recovery procedures.
Explain with reasons four factors which should be included in a disaster recovery plan. [8]
4 A Health Authority is very dependent on their ICT system for administration. The Health Authority
is undertaking a risk analysis.
(a) Describe in detail two of the factors the Health Authority should take into account when
deciding how to develop, control and minimise the risk to data. [2×2]
(b) Identify a problem that could arise if steps are not taken to minimise the risk, discuss its
possible impact and describe in detail a suitable strategy to overcome it. [4]
5 Most organisations now have ICT security policies.
(a) Discuss in detail the potential threats to data and the possible consequences of
accidental or deliberate destruction of data. Illustrate your answer with distinctly
different examples in each case. [9]
(b) Discuss four methods which could be used to prevent the deliberate destruction
or misuse of data. [4×2]
6 A local doctor’s practice uses a network to manage patient records, appointments and all its
financial functions. The Practice Manager is worried about the confidentiality of the patient
records.
(a) Explain why the practice should have a security policy and give two examples of what
this should contain, other than user accounts and logs. [4]
(b) Describe the use of user accounts and logs as a way of ensuring the confidentiality
of patient records. [3]
7 Describe two of the factors an organisation needs to consider when producing a risk analysis. [4]
1 A large company has branches all over the UK and uses its ICT systems to manage
customer records and all its financial dealings. The company’s Data Officer has written a
security policy to protect the data held by the company.
Describe the use of user accounts and logs as a way of ensuring the confidentiality of
customer records. [2]
2 Explain two other factors which the company should take into account when designing
its security policy. [4]
3 A large travel agency has concerns about losing data. They are reviewing their disaster
recovery procedures.
Explain with reasons four factors which should be included in a disaster recovery plan. [8]
4 A Health Authority is very dependent on their ICT system for administration. The Health Authority
is undertaking a risk analysis.
(a) Describe in detail two of the factors the Health Authority should take into account when
deciding how to develop, control and minimise the risk to data. [2×2]
(b) Identify a problem that could arise if steps are not taken to minimise the risk, discuss its
possible impact and describe in detail a suitable strategy to overcome it. [4]
5 Most organisations now have ICT security policies.
(a) Discuss in detail the potential threats to data and the possible consequences of
accidental or deliberate destruction of data. Illustrate your answer with distinctly
different examples in each case. [9]
(b) Discuss four methods which could be used to prevent the deliberate destruction
or misuse of data. [4×2]
6 A local doctor’s practice uses a network to manage patient records, appointments and all its
financial functions. The Practice Manager is worried about the confidentiality of the patient
records.
(a) Explain why the practice should have a security policy and give two examples of what
this should contain, other than user accounts and logs. [4]
(b) Describe the use of user accounts and logs as a way of ensuring the confidentiality
of patient records. [3]
7 Describe two of the factors an organisation needs to consider when producing a risk analysis. [4]
