Information Processing and Management

VCAA Exam Post Mortem

2002

Other VCE IT Exam Post Mortems to enjoy

IPM / ITA / Informatics / Data Analytics - 2001 | 2002 | 2003 | 2004 | 2005 | 2006 | 2007 | 2008 | 2009 | 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | 2016 | 2023

Info Systems / SD - 2006 | 2007 | 2008 | 2009 | 2010 | 2011 | 2012 | 2013 | 2014 | 2015 | 2016 | 2023

Question 1

1 mark. Tickbox

What would best measure an improvement in the effectiveness of producing an advertising flyer?

was produced in colour instead of black and white

Time taken and cost per page measure efficiency. "Produced using different hardware" is irrelevant.

Question 2

1 mark. 5 lines of writing

List a software tool you've used this year and describe how a function of the software, other than copy and paste, allowed you to produce information efficiently.

First you had to name a software tool. It could be anything... some samples follow...

There are hundreds of possible answers. You could have mentioned software like:

- webpage editor (Dreamweaver) - creates tables, frames, Javascript rollovers etc with no HTML coding. "I created a template with standard formatting and contents and re-used this whenever I had to create a new page."

- word processor (MS Word) - generates tables of contents based on heading styles so you don't have to find all the section headings and their page numbers and copy/paste/type them.

- Gantt Chart producer (MS Project) - automatically finds the critical path in a project. Automatically adjusts existing tasks when new tasks are added.

- graphics program (Microsoft Image Composer) - can automatically apply drop shadows and texture effects onto images

- spreadsheet (MS Excel) - autofill will copy values into adjacent cells, and update the value automatically as it is copied (e.g. formulae, numbers, months)

- database (Access, Filemaker) - generate automatic forms and reports at the click of a button so you don't have to drag many fields onto a form or report manually. "I used a default value of "Yes" for the field "Is Alive?" so the operator did not have to type it in all the time."

- text editor (Editpad) - allows search and replace over an unlimited number of documents so the same operation does not have to repeated many times.

Also relevant would be the use of Wizards, macros, document embedding, formulas, autotext, autocomplete and queries.
Spell/grammar checking were not acceptable answers.

Question 3

2 marks. 8 lines of writing (twice as many lines as last year's Q3 worth the same number of marks)

You had to give 2 reasons why the size of file attachments sent by email should be limited.

1. The smaller the attachment, the quicker it is to send and receive.

2. Smaller attachments will not fill up the recipient's mailbox as quickly as larger attachments.

3. It can slow down the network for other users.

4. Storage space may be limited by the organisation.

5. Downloads cost money.

Unacceptable: mentioning hard disk size restrictions.

Question 4

2 marks. One tickbox and 4 lines of writing (again, twice as many lines as 2001 exam - same marks)

4(a) - In the network diagram shown above, the numbered components are

firewall, hub and print server

(The 2 options saying that item 3 was a printer make no sense, leaving an easier decision. Item 2 simply did not look like a "network". Anyway, the whole picture is the network!)

4(b) - Describe the purpose of the empty connections on item 2

They are spare ports on the hub for later expansion (e.g. to connect another PC or file server to)

Question 5

Total of 4 marks. Total of 10 lines of writing (more lines per mark as 2001)

The first phase of the system development life cycle is analysis. City Graphics is planning to install an internal email system. They have gathered data on what the system needs to be able to do by interviewing current staff.

Notice how the exam told you what the first phase was? This overcomes the problems of there being many different "flavours" of the SDLC if you search around. At least you know what phase the examiners mean!

a. Explain one strength and one weakness of this method of gathering data.

Strength - the staff know the organisation, and how the system might be used. It also gives them ownership and involvement in the process of change.

- you can get more detail on users' comments so you can improve the system.

- the data is first-hand (primary) rather than interpreted by someone else

- personal interviews let you observe non-verbal communication (e.g. pulling faces)

- you can ask someone to clarify an answer or give more detail

- answers may be more reliable than those from a written survey

Weakness - the staff may well be ignorant of how such systems need to be built and expanded and may well be unaware of important capacities and features that the system might need now, or in the future.

(You don't ask a baby to design his own pram, do you? You might let him feel important by letting him suggest a colour, though!)

- staff may be limited in their understanding of the system as a whole and may only be familiar with a part of it

- staff may think they are being judged, and give "pleasing" rather than honest answers

- the interviewer can bias the interview

- interviews are time-consuming and take people away from their work

- respondents lack time to think through answers because they have to answer on the spot

b. Several steps need to be completed before introducing the modified information system. Select the steps which occur in the analysis and design phases.

You were then given 6 steps:

Step 1: Train staff
Step 2: Draw up the necessary input/output screens
Step 3: Purchase new equipment
Step 4: Document the procedures of the current system
Step 5: Write user documentation
Step 6: Survey users of the new system

Then you had 2 lines of text to list the steps involved under "Analysis" and "Design" phases. This is where some 2002 examinees might be about to go, "D'OH!".

You did not have to, and SHOULD NOT HAVE listed EVERY one of the 6 steps, if they did not fit into either analysis or design! Some steps were obviously not in either "analysis" or "design"!

This is not an easy question! I would guess (and these are open to argument!)...

Analysis phase: 'Step 4' (or, you could have written 'document current procedures')

Design phase: 'Step 2' (or you could have written 'draw up I/O screens')

* Step 1 (training) is a late step (happens during implementation).
* Step 3 (purchasing equipment) must come after design (during implementation)!
* Step 5 (user documentation) cannot be carried out until the system design is finished and hardware/software is bought or built. However, you can and should specify what forms of documentation would be required for different users. Documentation could be written at the end of the development phase.
* Step 6 is way out: obviously you can't survey users about a system that does not yet exist and that they have not used! It happens in the final evaluation/operation phase.

Question 6

2 marks. Four lines of writing

Before creating a web site, Plans Plus, an architectural firm, has aksed you to develop a design of the site. What design technique would you use and why?

Design technique: Page mockups (pictures of what different screens should look like)

Reason: Since web pages are mainly visual information, page mockups would give the most accurate idea of what the finished site would look like.

Since I had to choose only one technique, I felt it best to mention the most useful technique, if I could only choose one. I would, in real life, also use other techniques such as structure charts to show the site structure, flow charts/NS charts if I had to program Javascript etc

When I first saw the question, I thought, "Easy. Page mockups." Then I thought, "No - that's more a design tool, rather than a technique. Do they mean 'top down vs bottom up?'" Like you in the exam room, I had to make a decision...

If students argued for "top down" design technique (as many did, according to email reports I received) - and justified it well - I would argue that they should at least get credit for their interpretation of a possibly fuzzy question. I checked the 2003 IT Study Design after the fact, and it does refer to "Design Techniques as meaning things like mockups, but "top-down" could also be considered a 'design technique' in the broader sense..

The moral of the story: if you believe a question is ambiguous, give alternative answers and justify them. Yes, it will take more time, but if you explain yourself, you can still get some or all of the allocated marks.

Also: Storyboard (to show how pages link together)
Hierarchy chart, structure chart, site map: to show links and navigation paths.

UNACCEPTABLE answers: IPO charts, flow charts, data flow diagrams etc, because the question asks about the design of the site.

Question 7

Answer either Part A or Part B

2 marks. 10 lines of writing!

In 2001, the average was 2 lines of writing per mark: this is up to 5 lines per mark!
The examiners certainly have shown that they want more detailed from students!

Part A: Explain what test data is and why it is essential to create test data to enter into a database or spreadsheet solution.

OR

Part B: Explain why it is essential for written documents to have their message tested, and how this can be achieved.

Remember, you only answer ONE of the options!

If you chose Part A:

Test data is data that is deliberately created to fully test a solution with normal, abnormal and faulty data. Test data is deliberately difficult for a solution to process: it often includes "boundary condition" data that tests whether the solution is behaving properly with values that are on the border between one state and another. e.g. if you created a spreadsheet formula to determine whether a person's birthdate made them 18 years old, you would want to include test data that included "boundary condition" data such as "one day short of 18", "18 exactly" and "one day past 18" and test if the solution handled the "tricky situations" accurately or not.

The other reason to use test data rather than real data is to avoid the chance of destroying the real and valuable data with a solution that is not yet working properly.

If you chose Part B:

The main point of testing written documents is that their message is conveyed accurately and efficiently to the intended type of reader. If the information is not conveyed properly (e.g. it is misleading, ambiguous or confusing), the entire purpose of the document has failed.

The message can be tested by giving it to people, who are typical of the intended audience, to read, and then questioning them about their understanding of the meaning of the document. If they give incomplete, wrong or confused answers (e.g. prior interviews established he was unmarried, but he said on a form that he was "separated"), it may indicate the document needs extra work to make its information or questions clearer. Further testing subjects may include those "difficult cases" with poor language skills. If they understand the document well, its message is probably clearly written.

Saying that testing can be achieved by proofreading is not enough.

Hmmm. I wonder if the "message" of Exam Question 13C, box 4 was tested rigorously enough?

Question 8

4 marks. 28 lines of writing! (Seven lines per mark!!)

Funky Mobile Phones is developing its own web site. Shown below is their homepage which is being tested with staff. The developer has received several negative comments from staff about the appropriateness of the conventions used.

Colours: All text will be blue and the background of each page will be red.

Recommend how a web designer could correct any 4 generally accepted web conventions not followed by Funky Mobile Phones.

1. Make the font faces consistent, especially down the left hand side..
2. Remove the irrelevant picture of the horse.
3. Change the text/background colours so a combination that is easier to read.
4. Make sure all text links are underlined (single underline, not double)

Reduce the number of typefaces used.

Make the links in the nav bar consistent.

Make images relevant to the company (e.g. remove the horse)

Add the date of page creation and when the page was last modified.

Choose better contrasting colours for text and background.

Reduce the amount of text styling (e.g. bold, italic)

Use consistent font sizes.

Put the navigation bar in a consistent place.

Use serif or sans serif fonts consistently.

Links to privacy policy and/or disclaimer should be on home page.

Group related info together, and remove unnecessary spacing.

Ensure all images display (i.e. no broken links)

Remove blue text or underlined text that is not a link.

NOTE: "Put the navigation bar at the top/left/bottom" is not a convention.

Question 9

5 parts: 1+2+2+2+2 = 9 marks. 1+2+3+4+4 lines of writing

A national chain of petrol stations offers a range of supermarket products. When a customer buys an item, the attendant scans the barcode on the item and gives the customer a receipt. The data from the register is sent to a server at the company's headquarters where the data is processed. A daily sales report is given to the local store manager (Tyson), and a monthly summarised report is given to the Victorian Manager, Tina.

a) The reports were produced by a management information system. Identify the type of information system used by the attendant. (1 mark)

Transaction Processing System, or
TPS or
A data processing system.

Note the clue you were given at the beginning of the question - it helps you interpret the type of answer required. I wish Q6 had such a clue.

b) What types of decisions (operational, strategic, tactical) will Tyson and Tina make based on the information provided to them? (2 marks)

Note the word "national", so Tina is a tactical middle manager of a state.

Tyson - Operational (deals with day-to-day management)

Tina - Tactical (middle management - she is a state manager in a national chain)

c) State another type of information system that could be used by the headquarters and given an example of how it might be used. (2 marks)

Information System - A decision support system

Example - They could model the company's sales and expenses with a spreadsheet and alter values (e.g. staff wage increases, profit percentages) to see the effects on overall costs and profits.

e.g. could use it to predict next month's sales of cold drinks based on current demand and weather forecasts. It would assist in ordering stock.
Could determine staffing levels at different times of day based on transaction records.

You could also have mentioned an executive information system (to do high-level management) or even an expert system, but that would be harder to justify in such an organisation.

OTHER POSSIBILITIES:
Information system - Stock control system (to monitor levels of stock and automatically trigger reorders)

Office Automation system - to send emails to all stores from head office.

Payroll system - to generate payroll figures for employess.

Management information system - to identify and diagnose causes for stores performing well or badly.

d) The CEO would like to compare the sales of each outlet. What is the best method of presenting the information and how often should it be produced? (2 marks)

Graphs (charts) would be the form of presentation that would be easiest to interpret and identify trends, though they are not as accurate as raw figures.

The info could be presented in a table to allow easy comparison of figures.

If the information were produced monthly, the CEO would get a good idea of how the outlets were performing over time, which would help long-term planning. The local store manager would probably benefit more from weekly detailed numeric data because he needs to act more immediately based on the information received.

Info could also be delivered weekly or quarterly. ("Annually" alone is unacceptable)

NOTE: No other formats or time periods would be appropriate for the CEO.

e) The organisation investigated two options for sending the data to headquarters - using a dial-up modem or using a Wide Area Network. Explain why a WAN was chosen. (2 marks)

A modem would have to continuously connected if data from each sale were sent at the time of sale - this would tend to be unreliable, considering the way modem connections frequently drop out.

A LAN would offer much faster data transfer, it would be more reliable, and would allow many other networking benefits such as a reliable intranet, email and web services.

WAN is more secure than dial-up connections.

Modem would tie up a phone line.

Modem might not always connect if the ISP is too busy.

WAN allows for future expansion when business traffic increases.

WAN can be centrally managed. More efficient than many modem setups.

Question 10

4 parts: 1+1+1+1 marks. 2+1+1+3 lines of writing

Editorial: This was just a bad question. VCAA does not seem to have much luck with PERT/Gantt questions. I found the predecessor logic unrealistic, and the chart deliberately or accidentally left off one task. Not happy, Jan!

The diagrams below identify the tasks to be completed when installing a computer pod at a secondary college.

a) Define the term predecessor.

A predecessor is a task that must be completed before the current task can begin.

b) Identify one task that can be done at the same time as task 3.

Task 4 (or Task 5, but it would not be finished by the time task 3 finished), and even Task 6.

28/5/2004 - I just noticed that task 6 would be finished before tasks 3, 4 and 5. It is not dependent on removing the furniture.

The examiners say: Tasks 4, 5 OR 6.

c. Calculate the number of days in the critical path.

For some reason, task 1 is missing on the exam, and this is where the answer becomes difficult.

Logically, one would notify staff of the room's closure before you empty the room of furniture, so task 1 would be a predecessor of task 2. The critical path would therefore be tasks 1,2,5,7,8. Add up their durations (1+1+3+1+1) so...

The critical path takes 7 days.

BUT according to the table, task 2 has no predecessors - that is, they would tell staff the room is closed with no warning. (In which case, why bother telling them at all?) In this case, remove task 1 or 2 from the critical path, so...

The critical path takes 6 days.

Technically, the answer must be 6 days because the table says task 2 has no predecessors. In reality, however, such situations only occur in Dilbert comic strips.

You would be safest to explain your answer, but if the examiners don't accept both answers if students justified them, I would be rather disappointed. The question is at fault (illogical predecessors, missing task in the chart): students would not be at fault.

Official answer: "Accept 6 or 7 days due to difference in PERT not showing all tasks"

d. Explain whether the project would still be finished on time if 'install power points' is delayed by 2 days.

Luckily, you can still get this right regardless of your answer to 10C.

This would change the critical path to tasks (1),2,3,7,8 which now takes (1+)1+4+1+1 days, so...

The project would finish one day later.

No, the project can't finish on time since there is only 1 slack day when installing the power points. They project would take one more day.

Question 11

4 marks. 15 lines of writing!

A company uses a login name and password strategy to secure its information. The company wants to improve its level of security, so it is proposing a change to its strategy of authorising users. Recommend a different strategy of identifying users and explain two advantages and one disadvantage of the strategy chosen.

(Instead of "authorising", I think they should have said "authenticating". There is a significant difference.)

Strategy

Identifying users would be better performed by biometric identification such as fingerprint scanners or retinal or iris scanning. These scan a unique physical feature of users and compare the scanned data with the data stored about the genuine person. If the scan matches the genuine user's data, access is granted.

Advantage 1

Users would not have to remember and protect passwords: they would not lose or get "conned" into revealing a password. Also, passwords can be guessed. Less effort is needed of users: they only have to put a finger on a pad or put an eye to an eyepiece. It involves no typing, so access would probably be faster.

Advantage 2

Biometric identification actually identifies that people are who they claim to be - passwords only prove that someone knows the password. Biometic ID is also more reliable, as legitimate users cannot get locked out because they forget to bring their finger or eye!

Disadvantage 1

Biometric equipment is another expense to be borne by the company. Having biometric scanners on each PC would add up to quite a large expense.

(BTW - if you said retinal scanning was a disadvantage because villains could cut out your eye and show it to the scanner - bad luck! The real scan was done with a living eye, with blood in the retina's blood vessels. A removed eye would not have the same look as the living eye.)

Security cameras, encryption or audit trails were not acceptable answers.

Students could discuss fingerprint, iris, facial, voice recognition or Swipe card/smart card.

Question 12

3+4=7 marks. 17+26=43 lines of writing!

A secondary college has recently upgraded their information system. The new system has the potential to allow students, parents and staff to access the school network from home.

a) The President of the school council has suggested that student progress reports be made available online only and be produced twice a term instead of once a term. Discuss the implications of this proposal for staff at the college.

Staff would have the extra pressure of getting all work corrected more frequently.
They would have doubled reporting workload, assuming the new system takes as much time and effort as the existing reporting system.
Stress levels in staff could rise considerably.
Staff who are not computer-literate would have to learn about computer operations, and how to use the system, and they would probably be very slow because they might not be touch typists. This could lead to self-esteem issues, stress, resentment and lost personal time.
Staff could feel better about themselves as professionals if they provided better reporting to parents and students.
Some staff would probably experience changes to their roles, as they would be needed to train other staff in how to use the new system.
Some staff might welcome the "online-only" reporting system if they are freed from a painful existing manual reporting system.

-ergonomics
-occupational health and safety

b) The Student Representative Council has requested that the new system allow students and parents to access school files, assignments and homework outside school hours. Discuss this proposal for each user group identified.

Students -

- would be easily able to catch up with work missed through absence. Sick or injured kids would not need to go to school just to collect worksheets or resources.

- who have lost handouts could get replacement copies at any time.

- could perhaps "work ahead" and get future work begun before it's due.

- could not get away with pretending not to have any homework

- privacy concerns?

Parents -

- could see what homework their children had to do (No more, "But I've GOT no homework, mum - honest!")

- could help their children with their homework even if they were away from home (e.g. on a business trip, or not living with their children)

- could monitor the quantity and quality of homework assigned by teachers

- could have fun by doing the homework sheets themselves for the fun of it

(OK. So sue me. I can't think of anything else!)

Question 13

1+2+1+2+2=8 marks. 3+4+4+5+5+4+4 lines of writing, plus one tickbox

An organisation sells tickets by telephone for various theatres around Melbourne. Currently, all ticket sales are made by telephone sales assistants and are recorded manually on an order form. The order form is then passed to the postal clerk who mails the tickets out to customers. As calls are received, the telephone sales assistants walk to a diagram of the particular theatre to check which seats are available. They then colour in the seats sold. Management is keen to provide a faster service. They have employed a consultant who has recommended the installation of a local area network.

a. Describe one problem that the telephone sales assistants may experience with the current procedures.

If two customers simultaneously ordered seats at the same concert, two phone assistants could find themselves fighting over the same seats on the diagram.

If an order were cancelled, erasing the coloured-in seats would be messy and difficult.

Having to get up and down from their desks continuously would be inconvenient - and they would quite likely have to shuttle backwards and forwards between the diagram to the phone during the sale as they explain what seats are available.

b) The consultant has recommended that user documentation be provided only in electronic format. Explain one advantage and one disadvantage of this recommendation.

Advantage

It would be easy to update; easy and cheap to copy and distribute; it could include colour cheaply; it could use hyperlinks between topics.

Disadvantage

Some people do not easily absorb information from screens - they work better from printed text.
Users would need a computer to read the documentation (making it less convenient to read at any time, such as on the train or in bed).
It's hard to jot down notes or underline important information on a monitor screen.
You can't put in a bookmark to show where you were up to in your reading.
It can be harder to make sure you have read everything if there are many separate files containing information.

c. Tick the right box - what is the best method of evaluating the speed of the new system?

record the number of sales made per day

The other options were:

- record the number of customer complaints [complaints about what? reliability? speed? sticky seats?]
- record equipment breakdowns per day [measures reliability, not speed]
- complete a staff satisfaction form [staff opinions are not a reliable empirical measure]
- record server start-up times per day [see discussion that follows]

Some students have queried my answer. Here's how I see it. Assuming the system is working to capacity, the number of sales per day would be greater if the system were faster. Obviously, if no-one books a ticket all day, the system speed would be zero. None of the options is a good empirical measure of speed.

Option 4, "record server start-up times per day" is ambiguous, I reckon. The other "per day" options mean a count for each day of breakdowns or sales. So option 4 should mean "How many times did the server start up each day" (indicating it had crashed?)

I found the wording ambiguous and inconsistent with the other options. The other obvious point is that LAN servers are rarely turned off each night, thereby requiring a daily startup!

Even if option 4 meant "record how long the server took to start up each day", startup times would not be a good indicator of the speed of the TPS system. My old TRS-80 started up in 1 second in 1978, but I doubt that would be a reliable indicator of how fast it ran software.

I'm not trying to say sales per day is a good measure of system speed, because it's not. It's just better than the other bad options, and ya gotta pick one!

d) Management has proposed a two-hour evening training session entitled "Introduction to Computers" to be run at the local TAFE. this is the only formal training being offered to staff. Discuss two weaknesses of this training strategy.

Take your pick...

- the course may be irrelevant and boring to experienced computer users
- it does not seem to discuss the use of the new system, just how to use computers
- it's at night, meaning staff either have to give up personal time or get paid overtime
- it's not at their workplace, which might be inconvenient to some people
- all staff, regardless of their roles, have the same training.
- lectures may produce poor results for people who learn best from active involvement or demonstrations
- two hours? You'd be lucky to have a single conscious employee at the end of it
- they never get to actually use the system themselves

- staff are not training on their own computers
- the trainer may not be good at teaching

e. Recommend a more suitable training strategy. Justify your choice.

Strategy -

Each user would get training according to their role in using the system. If there were few people involved, personal one-on-one or small group practical training would be most effective. If there were many people to be trained on the same simple topic, they could use trainer-trainee where a small group of competent people would be trained and they in turn trained their colleagues. All training would be best carried out in their real workplace.

Justification -

Lectures typically result in 5% information retention after a week. Practical exercises with the real system in their real workplace would be much more comfortable, relevant and interesting, and users who had trouble would receive personalised attention from the tutor. By training each person in the skills they require to carry out their role (e.g. phone assistant, manager), they are not subjected to irrelevant and confusing information and can concentrate on what matters to them. By separating ignorant and experienced computer users, you can target your instruction to each group and build the skills of the ignorant workers, but not bore the experts.

Consider these factors: What is taught? When does training happen? What other support is given (e.g. phone/email/in-house)? What skill level should the training start with? What form will training take? (train the trainer, in-house, external, group, online?)

Question 14

4 marks. 18 lines of writing

E-Chemist is a new Australian company that offers customers discount price medicines online, without the need for a prescription. The web site allows the user to enter symptoms and then it suggests medications which might be suitable. The customer can place different items in a shopping basket and pay for their order by providing credit card details and a membership number.

Identify and discuss two different social issues arising from the use of this web site.

(Wow, where do you start? Whichever issues you choose, you would need to explain them)

- customers could access dangerous drugs with no medical reason
- it is illegal to provide many drugs without a prescription
- children could be exposed to dangerous drugs without anyone's knowledge
- euthanasia could be carried out without regard to relevant laws
- drugs could be obtained for illegal or immoral purposes (e.g. murder, date rape, "party pranks")
- people who need close medical supervision could obtain wrong medicines that could be harmful or fatal
- families and societies would be greatly damaged by self-diagnosing drug users and abusers
- the medical system and social services would be strained by the number of illnesses, overdoses, and family traumas resulting from free drug dispensing
- people with mental illness could be made worse by using incorrect drugs

Privacy
Dangers of self-diagnosis
Privacy (how is credit card or medical information used?)
Depersonalisation of services, devaluing the role of doctors
Access to restricted drugs
Crime and its social effects
Increased use of antibiotics leads to immunity

Question 15

6 marks. 48 lines of writing!

A small accounting firm specialises in completing taxation returns for small businesses. The files are therefore confidential and critical to meeting the demands of the GST. Once a month the office manager creates a tape backup of the network drive. The tape is stored on the owner's desk. The firm has decided to develop a disaster recovery plan. Explain three potential threats that will need to be addressed. Recommend an appropriate strategy for each threat identified.

My suggestions are in point form because it's late and I'm tired: you would need to explain them in more detail.

Two threats can have the same strategy to halt them.
Do not allow repetition of threats. (e.g. fire, flood, storm are all "natural disasters")
Three different threats need to be explained.

Threat - backup is not frequent enough
Strategy - backup daily - weekly full backups and incremental daily backups

Threat - the tape is stored on the owner's desk
Strategy - the tape should taken to a secure place off-site each night (e.g. a fireproof safe in the owner's home)

Threat - the data can be read if the backup tape is stolen
Strategy - the backup data can be encrypted

Threat - staff could access unauthorised data on the server
Strategy - use password protection to limit staff to data they require for their work, and use network audit trails to record who requests what data

Threat - there is no organised, long-term backup plan
Strategy - use a backup scheme such as Grandfather-Father-Son to ensure data can be recovered from any distant point in time.

Threat - fire damage to equipment and data
Strategy - fire-fighting equipment onsite

Threat - sensitive data could be stored on vulnerable workstations
Strategy - all data should be saved to the file server which should be stored in a physically secure room, and protected by air-conditioning, uninterruptible power supply, floppy disk drive lock, RAID, bars, security cameras, guards, dogs, falling elephant traps...

Sorry. I'm more tired than I thought.