ICT WJEC A2 - TOPIC 5: ICT SECURITY POLICIES

A local doctor's practice uses a network to manage patient records, appointments and all its financial functions. The Practise manager is worried about the confidentiality of the patient records.

(a) Explain why the practise should have a security policy and give two examples of what this should contail, other than user accounts and logs. (4 marks)

-The Data Protection Act gives the practise a resbonsibility to keep this information secure becasue of its potential for misuse. (2)

-(what should the security policy contain?) (2)

• rules on passwords and user IDs
• access rights
• firewalls
• virus checkers
• encryption
• backup and restoration strategies
• disciplinary procedures

A local doctor's practice uses a network to manage patient records, appointments and all its financial functions. The Practise manager is worried about the confidentiality of the patient records.

(b) Describe the use of user accounts and logs as a way of ensuring the confidentiality of patient records. (3 marks)

Auditing keeps a records of who has done what on a network.

Auditing keeps records of: (any three of the below points with a brief explanation)

• usernames
• the times the individual logged on and off (who, what, when)
• details of the programs they used
• details of files accessed
• details of changes made
• details of 'from which machine'

A large company has branches all over the UK and uses ICT systems to manage customer records and all its financial dealings. The company's Data Officer has written a security policy to protect the data held by the company.

(a) Describe the use of user accounts and logs as a way of ensuring the confidentiality of customer records. (2 marks) -covered in previous question

(b)Explain two other factors which the company should take into account when designing its security policy. (4 marks)

Any 2 of the following [there are more points but these are the ones that are easy to remember]

• physical security (protecting hardware and software pysically rather than using ICT based security measures... this may include locks or biometric methods)
• prevention of misuse using logical methods (user IDs, passwords, levels of access)
• continuous investigation of irregulaities (query any transactions made that are out of the ordinary)
• operational procedures (disaster recovery planning, backup, updating antivirus)

Describe the factors an organisation needs to consider when producing a risk analysis. (4 marks)

• identify potential threats- hacking/ viruses/ natural damage/ systems failure...
• what is the likelihood of the risk occuring- some things such as powercuts are inevitable, but explosions are much less likely. senior managers need to assess the likelihood of the risk and then put the security accordingly...
• short and long term consequences of the threat- cost of replacing the equipment/ embarrassment/ financial loss due to procedure of getting the business running again...
• how well equipped are the help authority to deal with the threat- disaster recovery plan/ backups...
• how much money the health authority has

[Only 2 points need to be made... and then explained - best to do this via an example]

Identify a problem that could arise if steps are not taken to minimise the risk, discuss its possible impact and describe in detail a suitable strategy to overcome it. (4 marks)

eg.

Staff could be unaware of who is in the building, this is extremely dangerous as if there was a fire they would not know if there was anyone still in the building (is anyone was at risk).

strategy: have a paper-based backup system off site, which could have staff emergency details...

(problem... expand on it IN THE CONTEXT OF IMPACT... strategy... EXPAND IN CONTEXT)

Due in part to potential threats to data, most organisations have now created ICT security policies. Discuss in detail four distinctly different types of potential threats to data. For each type of threat, describe a possible distinctly different consequence of the destruction of the data. (12 marks)

• THREATS: terrorism/ criminal vandalism (sabotage)/ theft by hacker (or emplyee)/ natural disasters/ accidental altering of data/ theft of data/ fire
  
• EXAMPLES: cyber attacks to slow down or prevent online services/ deliberate destruction of the physical data/ hacking into company to steal private details/ floods (earthquakes/ tsunamis...)/ overwrtiting files(accidentally deleting files)/ stealing storage media contailing data/ electrical fire in building
• CONSEQUENCES: loss of reputation/ loss of business and income/ legal actions/ costs of recovering the data...

[THE THREATS AND CORRESPONDING EXAMPLES ARE COLOUR CODED!]

Discuss four methods which could be used to prevent the deliberate destruction or misuse of data (8 marks)

[any four of the following points DISCUSSED IN APPROPRIATE DETAIL]

• methods of controlling access to computer rooms
• methods of securing integrity of transmitted data
• methods of including private and public keys
• call back procedures for remote access
• establish firewalls
• use virus scanners
• proxy servers
• password systems
• methods for physical protection of hardware and software
• security of document filing systems

(I've highlighted the points which i think wil be easier to remember and exlain)

Alarge travel agency has concerns about losing data. They are reviewing their disaster recovery procedures. Explain with reason four factors which should be included in a disaster recovery plan. (8 marks)

• COST: 1) set up a budget for it... 2) what backup medium should be used? (depends on the amount of money available to recover the data)
• RISK: 1) what problems could occur?...2) likelihood of the problems occuring... (eg. major earthquake in the UK isnt extremely likely)
• DATA: 1) no business can afford to lose it's data...2) backups of all data should be made regularly ( so that if something was to happen, they would have an up-to-date file of data)
• HARDWARE/ SOFTWARE COMMUNICATIONS: 1) loss of computing equipment...2) alternate methods/ equipment
• PERSONNEL, RESPONSIBILITIES & TRAINING: 1) loss of maintenance or support... 2) screening for potential employees
• PROCEDURES: 1) for minimising risk...2) establish disaster recovery programme

(make 2 points about each factor)x4

Discuss four possible operational procedures for preventing misuse of data. Use distinct examples to illustrate your procedures. (8 marks)

• SCREENING POTENTIAL EMPLOYEES- fit employee to the task

• ROUTINES FOR DISTRIBUTING UPDATED VIRUS INFORMATION AND VIRUS SCANNING PROCEDURES- establish firewalls

• DEFINE PROCEDURES FOR DOWNLOADING FROM THE INTERNET, USE OF REMOVABLE MEDIA, PERSONAL BACKUP PROCEDURES- staff codes of conduct

• ESTABLISH A DISASTER RECOVERY PROGRAMME- who will do what task and when

• SET UP AUDITING PORCEDURES TO DETECT MISUSE- query any transactions out of the ordinary

• LOG ON PROCEDURES/ IDs AND PASSWORDS- change regularly, dont write them down

• ESTABLISH PROCEDURES FOR TRAINING STAFF