UNIVERSITY OF MAURITIUS

FACULTY OF LAW AND MANAGEMENT

SECOND SEMESTER EXAMINATIONS

APRIL / MAY 2019

BSc (Hons) Management (Minor: Business Informatics)

PROGRAMME
Level III

MODULE NAME INFORMATION SYSTEMS SECURITY

Tuesday
DATE MODULE CODE CSE3216(3)
14 May 2019

TIME 13:30 – 15:30 Hours DURATION 2 Hours

NO. OF NO. OF QUESTIONS

4 4
QUESTIONS SET TO BE ATTEMPTED

INSTRUCTIONS TO CANDIDATES

This paper consists of FOUR (4) questions.

Answer ALL questions.

All questions carry equal marks.

 Information Systems Security – CSE3216(3)

Answer ALL questions.

All questions carry equal marks [25 marks].

Question 1 [25 marks]

Information Systems security is the protection of information against unauthorised access or

modification of information whether in storage, processing, or transit, and against denial of
service to authorized users, including those measures necessary to detect, document and
counter such threats. To maintain a secure system risk, threat and vulnerability need to be
analysed.

a) Explain the above highlighted words giving one example for each.
[9 marks]

b) Describe the three keys areas used to evaluate the information security in an
organization.
[9 marks]

c) One of the threats to Information Systems is the Denial of Service attack (DOS). Using a
diagram explain the DOS attack.
[5 marks]

d) Describe how information classification can help to maintain a secure information

system.
[2 marks]

Question 2 [25 marks]

a) Differentiate between Bell-LaPadula, Biba and Clark-Wilson security models.

[9 marks]

b) Elaborate on two benefits of having a Business Continuity Plan and Disaster Recovery
Plan in an organization.
[6 marks]

c) Comment on two IT laws prevailing in Mauritius.

[4 marks]

d) Explain two types of threat faced by organizations against their information systems
security.
[6 marks]

Page 1 of 2
 Information Systems Security – CSE3216(3)

Question 3 [25 marks]

a) Describe four physical security controls for protecting a secure IT infrastructure.

[12 marks]

b) Differentiate between segregation of duties, job rotation and least privilege concept in
operations security.
[6 marks]

c) Explain the difference between a Discretionary Access Control and Mandatory Access
Control.
[7 marks]

Question 4 [25 marks]

There is growing recognition of information as a strategic business asset. It is mandatory to

put in place protection mechanism that mitigates risks of information loss or modification,
especially during transmission.

a) Explain the operation of a biometric system in verification mode. Use block diagrams to
simplify the steps.
[8 marks]

b) Differentiate between

i. Private and public key cryptography

ii. Substitution and transposition cipher
iii. Spoofing and sniffing
[12 marks]

c) Firewalls are important components to guarantee security in Computer Networks.

Explain using a labelled diagram the operation of a firewall.
[5 marks]

END OF QUESTION PAPER

Page 2 of 2