You have been asked to review how well your company is prepared for a major data breach of your firm's customer database containing some 15 million records with names, addresses, passwords, credit card numbers, and payment history. The goal is to minimize the potential impact of a hacker getting access to this data and to avoid expensive class action lawsuits from affected customers. How would you proceed with this audit? What sort of measures would you look for or recommend? What would you do?

The CISO approaches the interns who seem to be breaking various security standards, who express their displeasure. According to the organization, they don't encrypt their workstations, download unlicensed music, connect personal devices to corporate computers, spend too much time on social media, and download pornographic content on workplace systems. The CISO recommends that you create a security document (Rules of Behavior) that has at least 15 rules limiting what employees may and may not do when connected to the corporate network.

What rules do the authorities currently have in place for handling data breaches and security?

Identity theft, in which people steal other people's personal information, is still a big source of worry for both individuals and businesses. Let's pretend you're a database administrator for a large company with extensive online databases. What do you do? Are there any measures you'd take to prevent unauthorised access to a company's database?

Barbarlee suspected and found a loophole in the university computer’s security system that allowed her to access other students’ records. She told the system administrator about the loophole, but continued to access others’ records until the problem was corrected 2 weeks later. Was her actions unethical or not. Explain your position? What should be the suggested system administrators response to Barbarlee's actions? How should the university respond to this scenario?

Our test data as 10,000 records with 100 records for fraud (positive) and the rest not fraud (negative).  We want to evaluate our classifier accuracy and are very concerned about catching all the fraud cases and not providing too many false alarms.  What technique would you use to evaluate this classifier and why?

How much assurance should you expect in terms of data security? What is the best way to ensure data integrity and user authentication?

How does the company handle the release of sensitive data in the event of a security breach?

Where do you think the company's duty for data security starts and ends? We need to know how much control the organization has over when security policies and procedures become active and inactive. Do you believe any of these barriers will be widened, perceived or real? If so, explain your reasoning. Why isn't this the case?

Think about the security procedures you'd use to prevent data loss and theft in response to the issues you've identified.