QCAA Digital Solutions Complex digital data exchange problems and solution requirements
8 sample questions with marking guides and sample answers · Avg. score: 25.1%
A user accidentally modifies critical data in a shared document. This is a compromise of data
access.
integrity.
availability.
confidentiality.
Reveal Answer
access.
Incorrect. While improper access controls may have allowed the action, the actual modification of the data specifically compromises its accuracy rather than just access.
integrity.
Correct. Data integrity is the security principle that ensures information remains accurate, complete, and unaltered by unauthorized or accidental modifications.
availability.
Incorrect. Availability refers to ensuring data is accessible to authorized users when needed, whereas this scenario involves changing the data itself rather than blocking access to it.
confidentiality.
Incorrect. Confidentiality protects data from unauthorized viewing or disclosure, but in this case, the data was altered rather than leaked to an unauthorized party.
A high school coding club was asked to develop a mobile app to manage the sale of items at fundraising events. To comply with school policies, app data must be stored on the school’s local servers. The coding club has four weeks until the next fundraising event.
Identify and explain the impact of three constraints on the app’s development.
Reveal Answer
Constraint 1: The coding club has less than four weeks to develop the app; this is a time constraint that may affect the club’s ability to thoroughly test the system before rolling it out for use.
Constraint 2: Using an existing school server for data storage. This may result in limited storage space, and developers will need to consider data compression, particularly for storing images of items.
Constraint 3: Developing a mobile app may present some technical constraints in terms of compatibility across different platforms, e.g. iOS or Android.
Constraint 1
| Descriptor | Marks |
|---|---|
identifies and explains the impact of a constraint | 1 |
Constraint 2
| Descriptor | Marks |
|---|---|
identifies and explains the impact of a constraint | 1 |
Constraint 3
| Descriptor | Marks |
|---|---|
identifies and explains the impact of a constraint | 1 |
The coding club was unable to develop all the app’s intended features in four weeks. The following processes were done manually during the first fundraising event:
- updating inventory
- authenticating users
- updating account balances.
Analyse the scenario to determine a risk to data confidentiality, integrity and availability. Justify each risk in your response.
Reveal Answer
Risk to data confidentiality: There is no user authentication process implemented; therefore, updating account balances and accessing user details risks the confidentiality of private information of all users, staff and students, including financial information.
Risk to data integrity: Updating inventory manually during a fundraising event would be a time-consuming process. There is a real risk to data integrity that could lead to overselling if the inventory data is not accurate at the point of sale.
Risk to data availability: Manually updating account balances risks the availability of user account information due to the delay caused by manually processing calculations while managing other distractions during a fundraising event.
Risk to data confidentiality
| Descriptor | Marks |
|---|---|
determines and justifies a risk to data confidentiality | 2 |
Risk to data integrity
| Descriptor | Marks |
|---|---|
determines and justifies a risk to data integrity | 2 |
Risk to data availability
| Descriptor | Marks |
|---|---|
determines and justifies a risk to data availability | 2 |
A school is developing a class timetabling solution for their students.
Which is not an essential data store for the initial iteration of the app?
teacher
subject
student
assessment
Reveal Answer
teacher
Teacher data is typically essential because classes are defined by the combination of subject, time, and the teacher facilitating the lesson.
subject
Subject data is fundamental to a timetable; without knowing which subject is being taught (e.g., Math, Science), the schedule serves no purpose.
student
Student data is essential to map specific class schedules to the individual users of the application.
assessment
Assessment data (such as exams or assignment due dates) is a feature of a gradebook or planner, but it is not strictly required for the core function of displaying a class timetable.
Refer to Stimulus 3 in the stimulus book.
A secondary school stores encrypted student results in a database. To access their results, students must log in using their student ID and password. Login details are checked against the database to ensure only authorised students can gain access.
Passwords are encrypted for added security. Once logged in, students must enter a public decryption key to have their results displayed.
The database contains overall results for all subjects and students. Only results linked to the relevant student ID are displayed; students cannot view other students' results.
The algorithm for this system is incomplete. Complete the algorithm using the supplied code library.
BEGIN
GET studentID from input form
GET password from input form
GET key from input form
Reveal Answer
BEGIN
IF checkLogin(studentID, hashPassword(password)) THEN
Results = getResults(studentID)
FOR i = 0 to (size of Results)-1
Display decryptData(key, results[i])
ENDFOR
ELSE
Display “Access denied”
ENDIF
END
| Descriptor | Marks |
|---|---|
Symbolises, without logic errors, an algorithmic statement for password encryption using 'hashPassword' | 1 |
Symbolises, without logic errors, an algorithmic statement for checking student ID and hashed password using 'checkLogin' | 1 |
Symbolises, without logic errors, an algorithmic statement for handling login errors | 1 |
Symbolises, without logic errors, an algorithmic statement for retrieving data for specific student ID using 'getResults' | 1 |
Symbolises, without logic errors, an algorithmic statement for outputting data for specific student ID using 'decryptData' | 1 |
Effectively uses pseudocode conventions | 1 |
Which solution requirements help protect the integrity of customer order data when ordering online?
Customers can only track their own parcels.
Customers can track parcels using a parcel ID.
All delivery messages contain a valid checksum.
All delivery messages contain a valid hash function.
Reveal Answer
Customers can only track their own parcels.
This requirement ensures confidentiality and access control by preventing unauthorized users from viewing data, but it does not verify that the data itself remains unaltered.
Customers can track parcels using a parcel ID.
Using a parcel ID is a functional method for retrieving specific records, but it does not provide a mechanism to detect if the order data has been modified or corrupted.
All delivery messages contain a valid checksum.
A checksum is a value calculated from the data content; if the data changes during transmission, the checksum will no longer match, allowing the system to detect the loss of integrity.
All delivery messages contain a valid hash function.
A hash function is the algorithm used to create a digest, not the data included in the message itself. To verify integrity, the message would need to contain the resulting hash value, not the function.
A mobile application (app) allows car owners to remotely unlock their cars if they lock the keys inside or their keys malfunction. Once users have created an account, they can request a remote unlock by entering their username and password.
The user data that is required to set up an account includes:
- full name
- date of birth
- home address
- driver licence number
- vehicle make, model and colour
- vehicle registration.
Analyse the information and evaluate risks to data confidentiality, integrity and availability for this app. Justify your response with three examples.
Reveal Answer
A data confidentiality risk is the possibility that an unauthorised person could observe the user data in transit. For example, the app requires a password for the user to log in and the data would need to be encrypted so that it cannot be stolen.
A data integrity risk is the possibility that the data could become corrupted, lost or be maliciously manipulated. For example, the wrong car might be unlocked or a hacker might use the data to cause distress.
A data availability risk is the possibility that someone may interfere with transmission to prevent data packets from reaching the intended destination, allowing them to access the person's car so that they can steal it.
| Descriptor | Marks |
|---|---|
Logically evaluates risks to data: confidentiality | 1 |
Logically evaluates risks to data: integrity | 1 |
Logically evaluates risks to data: availability | 1 |
Justifies this evaluation by providing a coherent example of a risk to data: confidentiality | 1 |
Justifies this evaluation by providing a coherent example of a risk to data: integrity | 1 |
Justifies this evaluation by providing a coherent example of a risk to data: availability | 1 |
Identify a relevant Australian Privacy Principle and explain an ethical consideration when using app data.
Reveal Answer
Australian Privacy Principle: Security of personal information. Allow an administrator to de-identify or destroy personal information once it is no longer in use.
Ethical consideration: Security of personal information is important if the user sells their car, or if the car is no longer in use. The user should not be getting unnecessary calls or marketing materials for a service they no longer use or for a car they no longer own, and it would be unsafe for the original owner to still have access to the vehicle once it has been sold.
| Descriptor | Marks |
|---|---|
Identifies a relevant Australian Privacy Principle (APP) | 1 |
Logically explains an ethical consideration relating to the identified APP | 1 |
You discover that the app uses a Caesar cipher to encrypt data, allowing you to intercept a password in transit. Perform a desk check for five iterations to decrypt the password ‘KYIWW’.
Reveal Answer
ABC DE FG H I J K L M N O P Q R S T U V W X Y Z
| KEY SHIFT | PASSWORD |
|---|---|
| 0 | K Y I W W |
| 1 | J X H V V |
| 2 | I W G U U |
| 3 | H V F T T |
| 4 | G U E S S |
| Descriptor | Marks |
|---|---|
Performs a desk check that decrypts the password using iterations | 1 |
Contains no errors | 1 |
A friend is interested in learning more about encryption. Use pseudocode to symbolise a simple Caesar cipher as a demonstration.
Reveal Answer
BEGIN
INPUT string plainText
INPUT int keyShift
SET string alphabet =ABCDEFGHIJKLMNOPQRSTUVWXYZ
SET encryptedText = ""
FOR each character in plainText
SHIFT character by keyShift
APPEND letter to encryptedText
END FOR
RETURN encryptedText
END
| Descriptor | Marks |
|---|---|
Symbolises INPUT for password string | 1 |
Symbolises INPUT for key or shift integer | 1 |
Symbolises declarative statement for alphabet | 1 |
Symbolises a FOR loop to traverse password one character at a time | 1 |
Symbolises a function to encrypt password one character at a time, using the key | 1 |
Symbolises RETURN for encrypted password | 1 |
Symbolises an algorithm with no logic errors | 1 |
Effectively uses pseudocode conventions | 1 |
Refer to Stimulus 1 in the stimulus book.
A hospital has installed a state-of-the-art boom gate at the entrance to the staff car park. The boom gate scans and records numberplates and requires drivers to swipe their ID card for access.
Identify three Australian Privacy Principles that apply to the use of personally identifiable or sensitive data and explain how the hospital could implement each principle.
Reveal Answer
Australian Privacy Principle: 1
Implementation: The hospital must be open and transparent about why it is collecting the data, how the data will be used and disclosed, and who will have access to the data. The hospital must also provide clear guidelines to staff about the collection and use of this information.
Australian Privacy Principle: 2
Implementation: The hospital must consider whether it is possible for staff to use a pseudonym instead of their real names when accessing the car park. If this is not practical, the hospital must ensure that it handles the personal information it collects in a secure and confidential manner, and only uses it for the purposes for which it was collected.
Australian Privacy Principle: 3
Implementation: The hospital must have a lawful reason for collecting staff driver information and inform staff of the purpose and use of the data collected.
| Descriptor | Marks |
|---|---|
Identifies and explains the implementation of one Australian Privacy Principle | 1 |
Identifies and explains the implementation of a second Australian Privacy Principle | 1 |
Identifies and explains the implementation of a third Australian Privacy Principle | 1 |
Analyse the scenario to determine a risk to data confidentiality, integrity and availability and make a recommendation for reducing each of these risks.
Reveal Answer
Confidentiality: The digital solution for capturing numberplate information and staff names poses risks for privacy, as personal data from various sources may be linked in unexpected ways. Only one trusted employee, like an IT manager, should have access to the database, and only after going through a review process approved by the hospital's recruitment and management staff. Information should only be shared between the IT manager and staff member in question, with no other parties privy to conversations or actions taken.
Integrity: The data in the database must be error-free, but staff may attempt to abuse the system by providing access to family or friends by lending them their staff ID and obscuring their number plates to gain entry. To prevent staff from logging different numberplates, the system should crosscheck a list of permitted numberplates against IDs before granting access.
Availability: The data may be vulnerable to hacking if allowed online, so a MicroSD card should be used for offline access by a trusted staff member. Physical security of the system and SD card should be maintained to prevent staff from damaging or destroying the digital solution. Data should be purged regularly, and the database should be detached and not accessible online. Numberplate data captured by the system should be encrypted and only accessible in extreme cases.
| Descriptor | Marks |
|---|---|
Analyses a risk to data: confidentiality | 1 |
Analyses a risk to data: integrity | 1 |
Analyses a risk to data: availability | 1 |
Makes a recommendation for reducing risks to data: confidentiality | 1 |
Makes a recommendation for reducing risks to data: integrity | 1 |
Makes a recommendation for reducing risks to data: availability | 1 |
A dentist runs a mobile van for dental check-ups at school. Patient details and dental treatments are recorded on a computer in the van, and patient data is transferred daily to a central server in the practice by email. The computer does not have a secure log-in system, and all staff can access the email account, since there is a rotating roster of staff. Patient confidentiality is important as some staff are parents of students at the school. Multiple personal data security needs are not being met by the current system.
Evaluate the security impacts of the system to identify two personal data security needs.
Reveal Answer
The current system poses a significant risk to patient privacy and data security due to the lack of a secure log-in system. All staff, including those who may be parents of students at the school, are able to access the email account containing patient data, and this could lead to a confidentiality breach. Two personal data security needs are a secure log-in system to restrict access to the computer in the van and a system for encrypting patient data when transferring to the central server in the practice.
| Descriptor | Marks |
|---|---|
Evaluates the security impacts of the system | 1 |
Identifies one personal data security need | 1 |
Identifies a second personal data security need | 1 |
A VPN has been proposed to secure the van's system. Describe a secure feature of a VPN and explain how this could improve data security.
Reveal Answer
A VPN could improve this situation by establishing a private connection between the van and the dental practice. This prevents unauthorised hackers from intercepting communications between the two networks. A VPN is also encrypted, so the data is protected even if it is intercepted.
| Descriptor | Marks |
|---|---|
Describes a secure feature of a VPN | 1 |
Explains how a VPN could improve security | 1 |