A2 ICT - Topic 5: Security Policies

Where do the Threats come from?

- Viruses, worms, adware, spam, sabotage, fire, natural disasters, terrorism, trojans, spyware, hacking, accidental abuse by staff, theft and faulty hardware or software

Threats from Natural Disasters

Earthquakes -> Loss of power, communication lines, damage to ICT systems

Tidal waves -> Cause further damage after earthquakes

Lightning strikes -> Cause short periods where power is lost and this can cause data to be lost and also hardware and software

Volcanoes -> Fire and smoke destory buildings

Floods -> Water damage to hardware, software and data and loss of power or communication lines

Gales -> Loss of power lines, destruction of communication equipment, etc.

Threats from Faulty Hardware or Software

Faulty hardware - Breaks down and main problem would be caused by the hard drive becoming damaged which would render the data and the programs unusable

Faulty software -Can contain errors which can lead to damaged data or a loss of data

Threats from Fire

- Precautions need to be taken; no smoking, wire checks, empty bins regularly, have fire alarms in all rooms, install a sprinkler system etc.

Computer or Hardware Theft

- Common, especially with laptops -> They are small and light, often used in public places, put into car boots and they are very desirable and easy to sell

Hacking - Attempting or actually breaking into a secure computer system and once they have gained access they can, do nothing, obtain personal data, use it to commit blackmail, cause damage to data and deliberately change data to carry out fraud

Spread of viruses and denial of service attacks - Latest software should be installed to prevent viruses from occurring and a denial of service attack is an attack on a secure system of an organisation so that it is deprived of some of their resources

Problems with Power

Power loss - Standby power system (sometimes referred to Uninterruptible Power Supply) will maintain power and the running of the computers until the mains power is restored -> Stored power (banks of batteries) or both that and a generator (generated by diesel or petro)

Changes in the power supply - Power fluctuations happen more frequently than total power loss and they can cause issues with computers and lead to data loss

Consequences of losing data -Loss of business and income, loss of reputation and legal action

Physical Security

- Protecting hardware and software using physical methods -> Restrict access to the computer equipment and the storage medium

Prevention of Misuse

Physical methods - Controlling access to the room via keypads or use of magnetic cards and biometric methods -> Controlling access to the building via uniformed security guards -> Locks on computers -> Locking computers away at night -> Security cameras in computer rooms -> Securing computers to desks using strong metal cables -> Use of devices to stop removable media from bieng inserted -> Fireproof safe

Software security - Usernames and passwords -> Levels of access

Audit trails for detection - Possible to track all the details of a particular transaction and they act as a deterrent -> They keep records of who has made changes to data, when it was changed and what changes were made

Continuous Investigation of Irregularities

Irregularities in places - Credit card payments for large amounts abroad are rejeced by the credit card company (the company requests the purchaser to contact them so they can ask a series of questions to verify that they are the card holder and that the transaction is genuine

Irregularities in amounts -May seem strange if a person has a high value transaction when they have never made one before -> Bank will request for the customer to contact them to ensure that transaction is genuine

System Access - Establishing Procedures for Accessing data such as Login Procedures, Firewalls

System access controls -> Access to ICT systems containing data, programs and information is controlled (only authorised access is allowed)

Log-in procedures -> Username is a name or number used to identify a user of a network and once this is known the network can assign resources -> Passwords are strings of characters kept secret by the user and they are used to gain access to the ICT system

Access rights -> Restrict a user's access to specific files which they need and these are normally issued by the network manager

Levels to access of files -> READ ONLY where a user can only read the contents of the file, READ/WRITE where a user can read and edit the data, APPEND where they can add new records but not edit or delete the current ones and NO ACCESS where you cannot do anything to the file at all

Firewalls ->Can be either hardware, software or both which works to prohibit communication which is forbidden from one network to another -> Manages data traffic between two networks and analyses each packet of data to ensure that there is nothing malicious -> Manages outside resources users have access to -> Norton Personal Firewall protects computer from unauthorised access

Personnel Administration

Training -> Staff are less likely to disobey code of conduct, make mistakes with data, lose work, etc.

Fitting the employee to the task -> Knowledge and skills match task

Ensuring that staff are controlled -> Working safely and are ensuring privacy and security of the data they are using

Operational Procedures Including Disaster Recovery Planning and Dealing with Threats from Viruses

Examples -> Code of practice which outline the dos don'ts, rotation of staff duties used to prevent fraud, access to operational data and programs prevents fraud, procedures which deal with disaster recovery and procedures which prevent the likelihood of a virus attack

Staff Code of Conduct and Responsibilities

- Lays out what the staff can do and what they can't do using the ICT facilities

Disciplinary Procedures

- Training needs to be enrolled to make sure that every member of staff is aware of the problems which misuses lead to and the consequences which would further follow

Screening Potential Employees

- Choosing staff cautiously can prevent issues in the future

- References and thoroughly screening staff working in ICT is vital

Routines for Distributing Updated Virus Information and Virus Scanning Procedures

Viruses -> Very malicious and they are programs which replicate themselves automatically and they usually carry payload which causes the damage -> Viruses can flag up annoying messages on the screen, delete programs/data, use up all of the resources slowing down the computer -> Not always clear what new viruses will do to an ICT system because there are so many and the problems created by viruses are often time consuming in solving -> Virus checker is a program which can detect and delete the viruses however a virus checker needs to be updated on a regular basis because new viruses are created so frequently

How viruses can be distributed -> External e-mail, internal e-mail, a companie's intranet, shared disks, banner advertisements, downloads

How to prevent viruses -> Install virus checking software and keep it up-to-date on a regular basis, don't open e-mails from unknown sources, clear acceptable use policy, training of staff to be conscious of problems, don't allow program downloads, don't open file attachments on e-mails unless they are from a trusted source, avoid use of own removable media

Virus scanning procedures -> Frequency of virus scanning, times of virus scanning, how portable media should be scanned before it is used, how virus scanning software is updated

Define Procedures for Downloading from the Internet, Use of Portable Storage Media, Personal Backup Procedures

Procedures for downloading files from the Internet: Choose option to 'Save this program to disk' which will save it to a temporary folder away from the main network, then run and scan it and if there are no issues then save to the main system; don't install software downloaded off the Internet onto your computer or company networks because they may contain viruses and they may be illegal; be conscious of how much space you are using because you could overload your computer

Procedures for backing up data: Types of storage media allowed, how often backups are undertaken, where they are kept, portable media, transfer of personal information

Establish Security Rights for Updating Webpages

- Need security so that only authorised staff can make changes (user-IDs and passwords)

Establish a Disaster Recovery Programme

- Series of steps which would be carried out if some or all of the facilities are lost

- Aim of DRP is to try and reduce the loss of business to a bare minimum and to be able to restore things to normal

Set up Auditing Procedures (Audit Trails) to Detect Misuse

- Computer software keeps a log of changes made and who by (detect any fraudulent activity and who by)

Backup and Recovery Procedures

Importance -> Backup means keeping copies of software and data so that the data can be recovered if there is a total loss of the ICT system -> Data is extremely valuable

Backup procedures ->Creates data and programs in order to recreate lost data and programs and backup procedures are actions a person/business undertakes to make sure that regular backup copies are created -> Regularly and off-site (because if you don't there is a possibility that the buildings could be destroyed e.g. 9/11 -> Use removable storage media e.g. pen/flash drives)

Keeping backup copies in a fireproof safe -> Protect backup copies from theft and damage caused by small fires (2 hours = fire proof)

Procedures for backup -> Use different tape/disk everyday and rotate them, give one person the responsibility, keep them safe and offsite and rehearse backup recovery procedures

On-line backup services -> Pay for it and amount depends on how much data you use, once you make it clear what data you want backing up the system does it automatically, stored offsite and data is encrypted and person who owns it is the only person who can gain access to it -> Disadvantage is that you are trusting another organisation (possible shut down)

Scheduling backups -> Backups can be done automatically or manually, do them whilst the computer isn't being used (slow it down)

Backup Storage Devices and Media

- Choice depends on storage capacity required, portability, speed of data transfer, speed of access and the ability to be connected to different computers or other devices e.g. printers

Magnetic tape ->Cheap and has high storage capacity, removable media

Magnetic disk -> Takes contents of one and copies it onto another

Optical media -> CD-R, CD-RW, DVD-RW, etc. -> Transfer rate is low which means backups takes longer

Pen/flash drives ->Small and portable and are good for backing up small amounts of data but they can be easily lost or stolen

RAID Systems - Mirror Discs (Redundant Array of Inexpensive Discs)

- Series of magnetic disks where data is stored

- System will automatically take control if original data is damaged or destroyed

Clustering

- File servers and storage devices are networked together to eradicate the reliance on one file server and one storage device

Grandfather, father, son system -> Can recreate master file if it is lost -> Three generations of file are kept; oldest is grandfather and this is kept with its transaction file which is then utilised to create a new master file called the father file and this also has its transaction file which is then again used to make the son file -> Usually used for tapes but can be used for disks

Backing up program files -> Software producers will allow programs to be downloaded again if they are lost or damaged -> Lots of businesses develop their own software or customise current programs so that they can work better for them (backed up originally and whenever changes are made

Methods for Controlling Access to Computer Rooms

Access restrictions -> Use of keypads, hardware such as biometric testing (nothing to remember), can be used to monitor time at workstations

Methods of Securing Integrity of Transmitted Data

Encryption -> Scrambles data up so that it makes no sense to interceptors, feature of the modern operating systems where the data stored on the hardrive is automatically encrypted

Process of encryption ->e.g. Someone wants to send a secure e-mail to someone else in a different location then they will click on the 'encrypt' option on mailer software -> The software then checks with them who they want to send it to and the receiver has a public key which is used by the software to scramble the message up -> The other person (has a private key) then needs to click on the decrypt option and type in a password

Proxy Servers

- They are servers which can be either software or hardware which takes requests from users for access to other servers and then they either allow them to do this or denies access

- They can be used to limit or block access to specific URLs or web services e.g. chat rooms

- Used by schools and many organisations

Methods to Define Security Status and Access Rights for Users

- Hierarchy of passwords

- Allocation of network resources based on user-IDs and passwords

-  Allocation of access rights to users based on job or seniority

Methods for Physical Protection of Hardware and Software

- Restricted access to computer rooms, keyboard locks, locks to computers which use biometric techniques, attaching cables to computers, locks on drives, firewalls and computers actually being locked away at the end of each day, original copies of software stored in a fireproof safe and regular backups of software stored in a fireproof safe or off-site

Security of Document Filing Systems

- Users must protect the documents stored on their laptops

- Important that printouts or reports are locked away and shredded before being put in the wastepaper basket

Risk Analysis

- Makes everybody conscious of the security threats to hardware, software and data

- Everybody in the organisation needs to know about the consequences of a loss for short or sustained time e.g. immediate financial loss and long term loss of customers lack in confidence

- Need to consider placing a value on each of the components of a successful information incuding hardware, software, documentation, people, communications channels and data

- Need to consider identifying risks to the point above and the probability that they will occur

- Consequences of system loss include cashflow problems, bad business decisions, loss of goodwill, production delays, late deliveries, stock shortage or overstocking

Identify potential risks -> Viruses, fire, natural damage, hacking, systems failure, fraud, power failure, sabotage, theft, blackmail, espionage, terrorist bomb attacks, chemical spillage, gas leaks, vandalism, spilling a drink, failure of telecommunication links, data cable issues, malfunctioning hubs and routers, software failure, bugs in software, hard drive damage/loss and strikes

Likelihood of Risk Occurring

- Every threat needs to be thought about

- Senior management have to decide probability of risks occurring and how they can be minimised at a fair price and what levels of risk are acceptable to the business

Short and Long Term Consequences of Threat

Short term ->Resources need to be directed towards recovering data, compensation has to be paid, financial loss, embarrasment (media), possible prosecution (DPA 1998)

Long term ->People do not want to deal with the business due to a loss of integrity, organisation going bankrupt, very expensive to replace hardware, software and data

How well is an organistation equipped to deal with the threat? -> Need to continously consider how well they would cope with it if it were to occur

Disaster Recovery Programme -> Purpose is to make sure that essential resources and computer equipment are available if a disaster happened -> Usually covers total/partial loss of computing equipment, essential services e.g. electricity, key employees, maintenance or support services, data or software, telecommunications equipment or services and the premises

Hacker - A person who tries to or succeeds in breaking into a secure computer system                                 Hacking - The process of trying to break into a secure computer system

UPS (Uninterruptible Power Supply) - A backup power supply (generator or battery) which will keep the computer running should the mains power supply fail

Password - A series of characters chosen by the user that are used to check the identity of the user when they require access to an ICT system                                                                                                                                    User-ID - A name or number that is used to identify a certain user of the network system

Firewall - A piece of software, hardware or both that is able to protect a network from hackers

Backup - Copies of software and data kept so that the data can be recovered should there be a total loss of the ICT system

Encryption - The process of coding files before they are sent over a network to protect them from hackers. Also the process of coding files stored on a computer so that if the computer is stolen, they cannot be read

Risk analysis - The process of assessing the likelihood of certain events happening and estimating the cost of the damage they could cause and what can be done at reasonable cost to eliminate or minimise the risk

Disaster Recovery Programme - A plan that restores ICT facilities in as short time as possible in order to minimise the loss caused by the complete or partial loss of an organisation's ICT facilities