CIS52005 Assignment 3 Research Report – Due Date 19th September 2016
Task 1 Research and write a critical analysis of the following SAP
System Security Parameters
Task 1.1 Discuss what is a transaction code and its main purpose in the SAP
R/3 System. Research the following related SAP Transaction Codes SM19 and SM20 and explain how you would use these two related SAP Transaction codes to under- take a security audit of an organisation’s SAP R/3 System (About 500 words)
Task 1.2.1 Discuss how the user master record in SAP plays an important role in ensuring assignment of appropriate rights, activity groups / roles and authorisations for individual users. (About 500 words)
Task1.2.2 As it is not possible to delete the SAP* user account describe two suggested controls to secure this account from misuse. (About 250 words) Task 2 Ethical Behaviour for an Information Security Professional
Review the Wikipedia Link for Professional Ethics and ACS Code of Professional Practice and provided with the Assignment 3 and consider the following two case studies as an Information Security Professional:
Task 2.1 Security hole in Distributed Record Management System used by Company X and Company Y - Summary of case
Company X has just signed a business agreement with Company Y, which entitles both of them to access each other clients’ records. Faisal, a software programmer at Company Z, was assigned the task of developing a software program that handles the access and retrieval of records from each Company’s database system into the other. A first run of the software on real data indicated that the work was well within the state of the art, and no difficulties were found or anticipated.
Several weeks later and during a normal test on the software developed, Faisal discovered a serious ‘security hole’ in the database system of Company Y by which hackers can easily obtain confidential information about clients. He was convinced that while the software he developed could correctly accomplish the task, the code in Company Y’s database system could not be trusted as the security hole posed a threat even on Company X’s database system. Faisal told his manager about the problem and explained its significance. The manager's response was, -That's not our problem; let's just be sure that our software functions properly.- Faisal is not sure what to do. Refusing to work on the project means disobeying his manager’s orders. Continuing to work on the project, means disobeying one of God’s commands, which requires him to be truthful and sincere in his dealings.
Task 2.1.1 Identify and describe the key ethical concerns raised in this case study? (About 250 words)
Task 2.1.2 Identify and describe how specific values of ACS Code of Professional Practice would provide guidance on how to deal with key ethical concerns raised by Faisal in a recent distributed Records Management system project (About 250 words)
Task 2.2 – Carol Fraudulent Member of ACS Branch Summary of case Carol is a popular person who has worked hard in the ICT industry. She is currently a team leader of a group of software developers in a large company providing outsourced services to the Federal government. She is a Member of the ACS and decides to contribute to her profession by playing an active role in the local branch of the Society, and is elected Treasurer. Carol has some financial problems, and forges signatures on cheques to embezzle $5,000 from the branch’s reserves to pay for medical treatment for her child. When she is inevitably found out she returns the money, and her membership of the ACS is terminated, but she continues in her job. Several members of her team are also ACS members. How should they treat their team leader?
Task 2.2.1 Identify and describe key ethical concerns raised by Carol’s actions outlined in this case study? (About 250 words)
Task 2.2.2 Identify and describe how specific values of ACS Code of Professional Practice would provide guidance on how to deal with key ethical concerns raised by Carol’s actions in this case study (About 250 words)
Task 3 Research the following advanced network attack type - the
Advanced Persistent Attack
Research the concept of an advanced network attack known as an Advanced
Persistent Attack. Explain what is meant by the concept of an Advanced Persistent Attack and describe the steps, resources and activities that would need to be under-taken by a hacker to mount such as attack on an organisation and the possible consequences for an organisation if compromised by an Advanced Persistent Attack (About 500 words)