INFORMATION SECURITY AND TRUST (CSC8202)
MODULE COURSEWORK
Deadline: 22nd November 2019
Scenario
Health 123 are a UK-based company. Health 123 are developing a Web application. Based
on symptoms entered by the user, their gender and their date of birth, the application will
provide a recommended course of action for treatment. The course of action for treatment
will include the specific service to contact (e.g. Emergency Department) and the urgency
which with the service should be contacted. Health 123 are planning to supply periodic
usage summaries from their application to another UK-based company, Health 456. These
usage summaries will contain details of the queries made by users and include: the location
of user, their symptoms, gender and date of birth and the date/time on which they made
the query. Health 456 will use the usage summaries to design and deliver health services.
Selected data flows and processing activities are illustrated in the diagram below.
User Health 123 Health 456
1. User Registration Details
Email Address, Telephone Number, Password,
Gender, Date of Birth
8. Usage Summary Details
[(Location, [Symptom], Date/Time, Gender, Age)]
2 INFORMATION SECURITY AND TRUST (CSC8202) MODULE COURSEWORK
Questions
Answer the questions below using the information provided for the scenario.
You must answer ALL questions in BOTH parts.
Part One
[50 marks]
(1) Describe the process of user authentication that is used within the application.
[10 marks]
(2) Health 123 are planning to use Hierarchical Role Based Access Control (RBAC) to
control internal access (i.e. within Health 123) to the data used by the application.
(a) Define a set of indicative roles for staff within Health 123 and structure these
roles in a hierarchy that could be used to control access to resources within
Health 123.
[5 marks]
(b) Describe how a chosen contextual constraint could be used by Health 123 to
restrict the activation of specific roles following authentication.
[5 marks]
[10 marks in total]
(3) Construct an attack defence tree to model unauthorised access to a user account.
Details of feasibility, cost and countermeasures do not need to be included.
[30 marks]
Please turn over to next page.
INFORMATION SECURITY AND TRUST (CSC8202) MODULE COURSEWORK 3
Part Two
[50 marks]
(1) Health 123 have determined that they are processing special category (or ”sensitive”)
data. State whether you agree with their position and justify your answer
with reference to relevant legislation.
[5 marks]
(2) Based on feedback from focus groups, Health 123 have determined that the majority
of users are likely to access the Web application using a mobile device. Explain
why access to the Web application using a mobile device presents a challenge for
Health 123 in providing privacy information to users.
[15 marks]
(3) Users enter their symptoms into the Web application as free text e.g. ”headache
and coughing” and ”high temperature”.
(a) Explain why this might pose a threat to the privacy of the users (or others).
[10 marks]
(b) Define a strategy for the anonymisation of the Usage Summary Details. All
attributes and records must be retained by the anonymisation process.
[15 marks]
(c) Provide a brief rationale for your strategy with reference to the concepts of
risk and utility.
[5 marks]
[30 marks in total]