QUESTION ONE

$[30]$

You were recently appointed as a chief information systems officer $($CIO$)$ of Sword Ltd $($Sword$),$ responsible for the information system controls. Sword, a subsidiary of the famous Grant Computer Games Group. Sword is a Technology company used to research and develop state of the art computer games. The company manufactures computer war games $($the best$-$selling ones relate to the Guerilla warfare$).$

Sword operates from its head office just outside Umhlanga, Durban, KZN$.$ The building also houses the Grant Computer Games Group's offsite back$-$up facility. Sword employees are not aware that a back$-$up facility is on their premises; they have simply been informed that they are not allowed into High$-$end Block, the research and development section of the company. Similarly, the company does not allow wireless technology or internet connections on its premises. The company has a strict $\text{'}$no cell phone or tablet' policy.

Each employee in the computer department has a minicomputer connected in the real time to the mainframe computer located in a room at head office. Computers are connected via a local area network. The computer room contains an application server, database, and mainframe computer. The network connects with the back$-$up service contained in High$-$end Block. Users can, by logging on to the network, gain access to various application software programs, as well as data files stored on the computer hardware located in the computer room. A general procedure used by Sword in order to verify access to the information system is by means of a password linked to a username. The data administrator is responsible for the maintenance of the computerised information collected during investigations.

During the year, the company's head office came under siege when the computer room was attacked by a gang of five well$-$armed men. They breached the building with military precision in under $10$ minutes.

Unbeknown to the other staff employed by the company, there was also a break in at Highend Block. According to the police, another group of thieves $($which were suspected to have included company employees$)$ broke into the building and stole one of the servers and a few back$-$ups hard drives. On the way out, they exchanged fire with the police.

The company has an excellent physical access controls for both High$-$end and Low A Blocks, as well as logical access controls to the computer information system. All th $vv$ controls were designed by the company in collaboration with the external computer specialist.

You are, therefore, satisfied that they appear sufficient and effective. This was confirmed by one of the thieves wounded in the gunfight with the police before being arrested. He confessed that, before stealing the hardware, they have hacked the system and removed and changed some of the information to make it difficult for the Black Group to determine which information had been stolen.

REQUIRED

Describe the physical access controls $($over and above those already mentioned in the scenario$)$ that should have been implemented to prevent the break$-$in and to ensure that the back$-$ups stored in Block B of Sword's premises could be used for authorised purposes only. Your answer must not address logical access controls.

Explain how 'authorisation matrixes' could have been used to ensure that only valid and authorised changes could be made to the information on the computer system, which could have prevented the thieves from removing and changing information stored o system.

What can Sword Ltd do to ensure strict control over passwords thus strengthening logical access control? $($Control over passwords$)$

$(10)$