OCR GCSE ICT B063 2017: ICT in context

Progress Delivery Company (PDC) is a parcel delivery company that collects and delivers parcels throughout the country. Its customers range from individuals to large companies.  Customers can schedule parcel deliveries by booking through the PDC website. Once customers set up an account on the site, they can log on and enter the size, weight, contents, and delivery address for the delivery. The online system automatically calculates the shipping price. After the customer enters their payment details, a shipping label is generated which can be printed by the customer and attached to the parcel. During the online booking process, the customer can choose whether to have the parcel collected or whether they want to take it to a local drop-off point. For large commercial clients, PDC uses an EDI system so that they can send bulk parcel orders without having to enter individual parcel details. When the parcel is handed over the label is scanned using a handheld device. The device then prints a receipt showing the details of the parcel and tracking number, and this is given to the customer

At each stage of the delivery, the parcel is scanned with a device and details of its current location, the date and time and the name of the person who scanned it are recorded. This could be in a shop, van, or a PDC warehouse. Information is sent wirelessly from the devices, either using 3G/4G services or Wi-Fi, and automatically entered into the PDC tracking system. Customers can view the delivery status of the parcel on the PDC website using the tracking number. Large commercial companies receive this through the EDI system. The recipient can use the website to change the delivery address of the parcel. Once the parcel is delivered, its tracking number is scanned again and the customer is asked to sign the screen of a handheld device as proof of delivery. This proof of delivery can also be viewed on the PDC website by the person who sent the parcel so that they can confirm that it has arrived safely

PDC would like to develop a smartphone app to allow customers to send parcels and to view tracking information. PDC would also like the app to be able to display a live map showing the current location of the parcel and an estimated delivery time. The app will be developed using the systems lifecycle

PDC would also like to investigate the use of Near Field Communication (NFC) technologies in its warehouse to improve its parcel tracking and delivery services. They would have to decide whether or not the benefits are enough to offset the costs of setting up the system using NFC in the first place

The way that the computers and other network devices are physically connected is known as the network topology. There are three topologies:

• Star topology (made of wires radiating out from a single point)
• Bus topology (all the devices daisy-chained together)
• Ring topology (all the devices connected in a ring)

Many companies choose a star topology using Ethernet cabling as this is the cheapest, easiest, most widely supported method which offers higher data transfer rates and has better fault tolerance compared to the other two methods. In a star topology, all of the devices are connected to a central switch. There will be shared resources and devices (for example the internet connection and printers), and all the data will be stored on a server, which is kept in a physically secure location. This configuration is known as server/client. All the data is stored in a single location which means that it can be accessed from anywhere in the network and backed up to keep it safe. PDC would want to install a firewall which, for a large company such as PDC, would be in the form of a hardware device positioned between the network and the Internet connection. Its job is to keep the network secure from unauthorised access and hacking

• Modem: Short for modulator/demodulator. It converts the digital data used by computers into analogue signals, so that the data can transmitted using a telephone line. It then converts the opposite way when data is sent back to the computer. This is needed to enable the computer to connect to the internet in a LAN. Modems still exist as standalone devices, but today their functionality is built in to the routers themselves, removing the need for two separate devices
• Router: Connects the internal infrastructure of a network to the wider internet. Routers read the IP addresses of the sender and the recipient contained within a packet of data, interpreting the destination of the data packet, and 'route' the packet to its intended target. A router is an essential component allowing multiple networked computers to send and receive data a single internet connection
• Switch: Found inside the LAN in star topology, it connects all of the devices together using Ethernet cable connections. Switches are able to keep a record of the identity of every device that is connected to them. This is useful as, without this record, data packets would flood all over the network and slow it down. Every network-capable device has a unique identity code known as a MAC address. When any data packets are transmitted, the IP and MAC addresses are stored in the data packet. Switches can read the MAC addresses of the sender and the recipient contained within a data packet and use this to know what to do with it

• Hub: Visually identical to a switch, it is found at the centre of a star topology network. It offers wired connections to all the devices in the network. The difference between a hub and a switch is that a hub cannot read the IP or MAC addresses contained within data packets and merely amplifies the signals it receives to the devices connected to it
• Network Interface Controller: Found in every device that connects to a network. NICs can provide both Ethernet and wireless connectivity, to both fixed and mobile devices. Although NICs do still exist as separate hardware devices, called 'cards', which are inserted into a motherboard's PCI slot, nowadays it is more common for the NIC to be built in to the motherboard during manufacture. Every NIC is assigned a unique MAC address that cannot be changed and an IP address that can change

Wireless-Fidelity is a wireless communication technology that allows devices to connect to a Local Area Network. It provides Wireless Access Points which send and receive signals from wireless devices, such as handheld scanners. The range of a WAP is around 25 metres, so several are installed to provide reliable coverage across the whole delivery depot to counter the short range as well as the issue of interference caused by walls and other objects which weaken the Wi-Fi signal. A WAP provides wireless connectivity to an existing LAN. It does not route traffic between networks. This is different to a wireless router, which does direct traffic between networks, usually the Internet on the WAN side, and your local area network on the LAN side

In PDC's network, each wireless access point would be wired back to a switch and in turn connected to the company's servers and other hardware devices on the network. There must be a wired LAN in place that provides the backbone for the WAP deployment. WAPs are usually deployed using Power over Ethernet. This works by using pairs of copper wire inside the data cable that are not used to carry data to carry power to the WAP. A big advantage is that the WAPs do not need to have separate power cables run to them and this saves in costs or deployment and allows the units to be deployed more flexibly within the building, as they don’t need to be positioned near a power socket. Special PoE switches are used that provide power as well as data connectivity to the Ethernet cables running to each WAP

Wi-Fi is an example of a wireless network protocol (Bluetooth is another). The IEEE (Institute of Electrical and Electronics Engineers) 802.11 standard defines such protocols worldwide. All networking standards are set by the 802 committee, which first met in February 1980. These standards mean that every manufacturer can make equipment that works with everyone else's. Since the introduction of Wi-Fi in 1997 there have been many updates and revisions. The main standards of Wi-Fi are 802.11b, 802.1 la, 802.1 lg. 802.1 In and 802.1 lac. Each of these offers an improvement on the last and different features. 802.11n has the greatest range, 802.11ac has the greatest data transmission rate. Many items of Wi-Fi equipment are capable of connecting to more than one standard and it is important for PDC to get equipment that conforms to the latest standards in order to achieve the most efficient data throughput in its systems and also ensure compatibility with any legacy systems. A legacy system is an older system that might exist in some part of a company network infrastructure and is likely to use older communication technology

A barcode scanner (or barcode reader) can read printed barcodes and output the data contained in the barcode to a computer. This is commonly used for stock control as the codes can be read quickly and easily. Inside the scanner is a light source, lens, and light sensor which translates optical impulses into electrical ones. Most barcode scanners contain decoder circuitry which analyses the barcode data and translates the data into an electronic output that can be understood by a computer system. In order to provide flexibility of use, many barcode scanners are portable and able to connect to, and communicate with, a wireless network. This gives PDC workers who are scanning parcels a greater range of physical movement than they would have if the scanners were tethered to a wire

PDC tracks the movement of parcels through its systems using barcodes. Each barcode carries a unique number that identifies the parcel in a transaction between the sender and recipient. The barcode itself does not contain the sender or recipient's address (although these are also printed on the delivery label). Once a barcode is scanned, the computer systems at PDC can use the unique number to look up the details. Barcodes are a method of encoding data that can be read by an optical scanner. The wide and narrow lines are similar to dots and dashes of Morse code extended into a line to make them easier to read. In later designs of barcodes, there are bars of up to four different widths, and there are now so-called 3D barcodes which use a range of different shapes in a pattern

Encoded within the data is a check digit that is calculated using a mathematical formula based on the other values in the code. All but the last of the numbers (which is the check digit) in the code are given a position, which is the number of digits counting backwards (eg. in EAN-13, the first digit’s position is 12 and the second is 11. In EAN-8, the first is 7, second 6). The actual digit is then multiplied by a weighting to give a partial sum. The value of the weighting is decided by the digit’s position number. If the position is odd, the weight is 3. If it’s even, the weight is 1. All the partial sums are then added together to find a total. The difference between this and the next highest multiple of 10 gives the check digit. The resulting sequence can then then be encoded into a barcode which can be read by a scanner. The scanner software calculates the check digit and compares it to the final number of the barcode scanned. If the scanner finds that the check digit in the barcode does not correspond to the check digit it has calculated itself from the other data in the barcode, then it assumes that it has wrongly scanned the barcode and gives an error message warning the user to scan the barcode again. There are several different standards of barcodes. The most common is the EAN-13 standard, which is used all over the world for marking retail products. There is also EAN-8 standard used on small packages

3G is the third generation of wireless connection standard. It was commercially introduced in 2003 and was the standard data connection in the UK during it’s time, enabling average data transfer rates of approximately 5-6 Megabits per second. The introduction of 3G led to the possibility of mobile internet access, video calls and video streaming. It is still available in many areas of the UK

If PDC want to have a smartphone app to allow customers to send parcels and to view tracking information, then it would have to consider the data transfer rates that are available to a typical mobile customer. PDC would have to take account of 3G data transfer rates when designing a mobile phone app because anything requiring too much bandwidth would not download quickly enough and the customer might lose interest in placing an order or doing business with the company. To be able to display a live map, showing the current location of the parcel as well as an estimated time that the parcel will be delivered, the image of the map would have to be sufficiently simple to be able to be compressed to a small enough size to work on a 3G connection

4G is the fourth generation of wireless connection standard that has been commercially available since 2010. The data transfer rate of 4G varies depending on the service provider, but the average is 17 Mbps, almost three times faster than the 3G average. With continued development, 4G has the potential to provide even faster data transfer speeds than are available currently, therefore increased speeds over the coming years are inevitable. Although many modern mobile phones are designed to use 4G, there are three limitations on its use. The availability of 4G relies on the user signing up to a 4G tariff which may cost more, the mobile phone may not support 4G connection, and 4G coverage is not yet nationwide

Near Field Communication works using electromagnetic induction and can be used to read simple NFC tags. It is versatile and could be programmed for many purposes. To work effectively the reader and the tag must be at most 5cm apart. Once the data has been exchanged, it can be shared with computer systems, such as entering details of a package into a database. PDC staff already use portable electronic devices such as smartphones, and many recent models of mobile phone are NFC enabled. The company could adapt this existing technology for use in tracking packages through its systems. If scanning were to take place in a shop, for example, then PDC would develop an app that could be used by one of its agents on their own phone rather than providing specialist hardware to every shop who might take delivery of one of their parcels, saving them money

However, the cost of NFC tags to use on packaging is a lot more than just printing a barcode. There might be compatibility issues with other systems. Not everyone has an NFC-enabled smartphone so these might have to be issued at extra cost. NFC has a very short range compared to a barcode scanner so it might be difficult to scan larger packages. There might be additional costs of implementing the new system both in terms of updates to technology and the cost of training and keeping the system up and running

EDI is an automatic method for allowing two companies to exchange business information. PDC could use this method for automatically transferring invoices, shipping notices and purchase orders to and from Its commercial customers

In order to conduct business, PDC would have an electronic two-way communication with its customers. The customer requests a price for delivery of a parcel from PDC and the two parties agree a contract for the delivery of a parcel. The customer places an order with PDC for a parcel delivery, which PDC acknowledges before sending an advanced shipping notice to the customer. PDC organises the parcel delivery and includes an advice note. The parcel is delivered and the recipient electronically signs for the delivery. PDC and the customer can both check the delivery using the electronic tracking system. PDC sends an invoice to the customer for the delivery and the customer pays the invoice and sends a remittance advice note back to PDC

When EDI first started to be used, customers and suppliers just negotiated between themselves what data they would share in an EDI transaction and in what format. Gradually, common standards became adopted by certain companies who often traded with each other, such as in the automotive industry. Standards agreed in this way are known as de facto standards. Later, some professional bodies developed some standards that could be used by anyone, known as de jure standards

There are many different standards that could be used by PDC according to its customer preferences:

• EDIFACT (Electronic Data Interchange for Administration, Commerce, and Transport) is the professional body which develops EDI rules for the United Nations. EDIFACT usually publishes a new set of EDI messages each year in a list of standards called a Dictionary
• EAN (European Article Numbering) is an international standards body which developed the standards for barcodes as well as EDI systems. Some countries adapt their own EAN EDI standards for use within their own country. For example, the Tradacoms standard has been developed for use by the retail trade in the UK
• ODETTE (Organisation for Data Exchange by Tele Transmission in Europe) is an organisation formed and used by the automotive industry. Originally, ODETTE developed its own unique standard of EDI messages, but it has now adopted subsets of EDIFACT standards
• VDA (Verband der Automobilindustrie) is a German standardonly used in the UK by the automotive supply industry
• ANSI (American National Standards Institute) is an American standard. ANSI standard EDI messages are known as Transaction Sets'. This standard is rarely used in the UK
• Company standards. Even though there are many widely accepted EDI standards, some companies continue to use their own variations of EDI that meet requirements specific to a particular industry. This means that PDC might still have to send similar messages in different formats depending on the preferred standard of different customers

If PDC has to transfer data to companies who use a different EDI standard to them, they would have to use translator software the change the format

There are many advantages of using EDI over using traditional paper documents to communicate with its customers. These include:

• Replacement or reduction of mail, fax, and email
• Reduced staffing costs (less typing of paper invoices, for example)
• Less chance of transcription errors when data in an order or invoice typed into a computer system
• Reduced postal costs and time saved waiting for postal deliveries
• Increased processing speed of orders as it is automatic
• Less chance of errors arising from transferring data from one form to another as no human intervention

Disadvantages include:

• Not all companies use the same EDI standard, especially in different parts of the world
• PDC might have to use additional software to encode or decode its EDI transmissions in order to match the EDI version of some of its suppliers or customers

A large proportion of new ICT systems fail due to insufficient planning. Whenever a new system is to be implemented there are several formal stages that have to be followed in order to achieve an effective solution. The systems life cycle is a process for planning, creating, testing, and deploying an information system. It is important that all of the steps are followed. Failure to complete the whole process can lead to the new system not delivering what the end user wants. The stages of the systems life cycle are:

Definition>Feasibility>Investigation>Analysis>Design>Development> Testing>Implentation>Documentation>Evaluation>Maintenance

Definition is the statement of intent. A feasibility study often follows this to decide whether there is a financial case for taking the project further. If savings cannot be made, then a new system is pointless. An example of investigation would be looking at the system to be replaced and considering the views and needs of the management of the company and the end users. The system must enhance the efficiency of the business operation or else it will be of no use. Investigation may take the form of questionnaires, interviews, or observations of how people work within the company. Diagrams may be used to map out the flow of data and goods through the company to make it easier to understand how the current system works and where any problems may exist. An important decision that needs to be made is whether to modify an existing system, buy in a new system developed by an external specialist company, or develop a whole new bespoke system 'in-house'. Each of these has advantages and disadvantages:

• Modifying an existing system: Easiest/least disruptive and cheapest to implement but any problems within the existing system may be replicated in the new system
• Buying a new off the shelf system: Development costs will have been spread across several companies, resulting in lower costs for PDC. Likely to be tried and tested by other companies so more reliable and ongoing support will be available. However, the system is unlikely to fully match PDC’s needs, which means additional systems will need to be bought
• Developing a whole new bespoke system: New system will be designed to fully meet PDCs exact requirements and will be highly specific to PDCs operations. However, if it’s developed by a specialist company, the developers might not fully understand requirements like an in-house team might but if developed 'in-house', the development team may have less technical skill than a specialist company

In the analysis stage, a list of success criteria will be drawn up. This is based on meeting a system specification and represents everything that the new system must have, be or do. The systems specification represents the evaluation criteria for the project and an indication of what the system must do in order to be considered finished. This is the point at which the developer gets paid. At the design stage, the fine detail of the solution will be decided for four main factors:

• The user interface design, including navigation around the system, online help, error messages and the overall look and feel of the system. PDC will most likely employ a graphic design team to work on font size and style, and colours used (perhaps to match the corporate look of the whole organisation) in its app
• The system development team will have to decide on the way that the new system will deal with input processing and storage of data. Input and storage (including validation and format of data) is usually specified in a data dictionary
• The ways in which the new system will output information both on screen and in printed format. PDC managers should also be involved with this process to make sure that the new system is on track to deliver what they want
• Minimum hardware and software requirements needed to run the new system. A new system might be much costlier to implement if it requires the company to purchase new computers and other hardware or new licences of later operating systems

Once all the decisions have been made about the look and feel, data processing and desired hardware and software requirements, then the coding of the project can begin. Although testing is often shown as a separate process to development, the two are, in fact, part of the same iterative process. This means that the same process of development and testing may be repeated many times, each time getting the system closer to the desired solution

Each section of the new system has to be tested to see if it performs as expected and, if not, what actions will be required to ensure that it does do as expected. Testing ensures that each section of the system works seamlessly with other parts and that the whole system will run on the specified hardware or software platform. Another important consideration to be developed and tested is how legacy data (data from the old system) can be brought across to the new system. Testing may be done by either the developers (in-house or alpha testing) or people outside the development team (end user or beta testing), which could be staff from PDC elected to run a trial on the new system and give feedback to the developers

• Direct changeover (Hardest to manage): Old system turned off, new system turned on. No issues with compatibility with old systems once all the data has been converted. However, it relies on the new system being fully operational with no flaws and it is quite difficult to implement as the whole workforce must be trained to use the system and be ready to change over. Also, trying to make large changes all at once is the strategy most likely to fail. PDC cannot afford any downtime if there are problems as this causes loss of business
• Pilot implementation (Effective): A small group trials all the new system whilst the rest of the company uses the old system. It is easier to train small groups of people at a time and these trained workers can then help others to use the system. If there are any bugs in the new system, they can be identified before the system is rolled out. However, the pilot group may have difficulty in sharing data with other departments during the trial
• Phased implementation (Effective): Some elements of the new system are implement across the company first and the old systems are gradually replaced step by step. Small changes are often the easiest and most effective to implement and manage. It is also easier to offer training on one part of the new system at a time. However, the new system may have difficulty sharing data with the old system. It may be tempting to roll out sections of the system that are finished without testing that every system works with every other
• Parallel running (Most inefficient): New system implemented whilst the old one still runs, which is turned off later. This provides a fallback position if the new system is unworkable but creates twice as much work for the workforce. It also takes longer for the new system to be implemented fully, meaning subsequent improvements are delayed

Documentation is one of the most important and often the most overlooked. Every system must be provided with manuals covering the design of the system and how it works on a day-to-day basis. Documentation provided with a new system usually includes overview of the system, installation instructions and technical details (hardware and software requirements), user guide, troubleshooting advice to solve simple problems, and a glossary of technical terms

Once the project is nearing completion then the system specification must be referred to in order to establish if the project has met its goals and can be signed off. All levels of users and developers must agree with the following questions before a project can be signed off: Does the new system perform as expected, solve the problem identified in the investigation stage, and was the original system specification sound or was it changed along the way?

Although the new system is officially signed off and working, it is usual that a strategy for maintenance is put in place. Maintenance can be divided into three distinct areas:

• Corrective maintenance: Ongoing maintenance must be in place to fix bugs that become known once the system is up and running
• Adaptive maintenance: Ongoing maintenance must be in place to develop new functions and features, such as new ways of inputting data or producing reports in new formats and adapting to new requirements of the company as they come along
• Perfective maintenance: Ongoing maintenance must be in place to improve system performance and efficiency

• Well-established, tried-and-tested methodology that is effective and well understood
• Very structured approach with clear definitions between one phase and the next. This allows PDC to thoroughly plan for risks, finances, and resources, make a structured plan with specific deadlines for each stage of the process, and make it possible to formally review what progress had been made at the end of each stage, allowing it to accurately monitor overall progress
• Provided that developers understand business needs, there would be a good chance that the system specifications would reflect PDCs business requirements

• Formally sticking to each step can result in a long, drawn-out process, which can add to costs
• The end users may not be able to express what they actually want (this is a good argument for keeping the development of a new system within the company)
• End users may not understand or be sufficiently well involved in the development process, resulting in system developers dominating the process and giving the end users what the developers think they want, not what the end users actually want
• End users may not see the final solution until the process is nearly complete

There are many different factors to consider when designing an effective Graphical User Interface (GUI) for a smartphone app, which is very important. It is good business for PDC to design a good UI that will encourage its customers to use it and offer them more business, reflecting well on the company

In order to encourage users to use the system and then come back and use it another time, it is important to make the interface easy for them. The interface must have a simple and intuitive layout that is very easy to use. Effective interface design builds on familiarity. If the users can interact intuitively with the interface they are more likely to use it and want to keep on using it. There are many established interfaces that we are all already familiar with, such as a computer keyboard or an MP3 player. When designing an effective UI, PDC should consider existing interfaces and test their designs to see which ones are the easiest to use

Effective navigation is an important part of a successful website. If a user cannot easily get to what they want to, then they will become frustrated and stop using the site. To ensure good navigation on the site, there should be:

• Main navigation bar or menu (which may contain submenus within it)
• Use of breadcrumbs to leave a trail of where the user is
• Use of a site map to show an overview of the site content and structure
• Hyperlinks wherever possible, to enable the user to get to certain sections in multiple ways

There are a number of factors leading to a choice of colour in a user interface. If PDC has a strong branding focus on certain colours then this might be a consideration, but the most important consideration will be how colours can be used to make the user experience easier and more efficient. Where colours are used, they should be subtle and easy on the eye, used to sensibly group similar functions together, and offer a high degree of contrast (such as a high contrast between text and background) to make the interface easier to use

Different fonts give different messages. Many companies choose a font that reflects the image they want to put across. PDC are likely to use a consistent font across all of their letters and advertising, so that people can easily identify their brand. Font sizes, font style, and the layout of the text can all help affect how legible and easy to read the text on the screen appears

The design of buttons, the colour schemes, and the choice of font style and size should be consistent throughout the app. This will give the app a more professional appearance and help the user to become familiar with its functions. Typically, a label for a data entry field will be to the left of the data field itself. This is an example both of familiarity and consistency

An important aspect of interface design is feedback. This includes a summary of the data that the user has entered and useful information if the user has made any mistakes. For example, if a field in the interface cannot be left blank or requires data in a particular format there should be a useful message telling the user where they went wrong. When pressing a button, there should be some feedback to indicate that something has happened such as an audible ‘click' sound or some ‘rollover' text/message. PDC might prefer to use haptic feedback, where pressing a button causes a slight vibration

Where there are options that can be chosen on the interface then the most commonly chosen option might be set as a default. This would make the data entry quicker

Default settings when the customer uses the app for the first few times encourages them to make choices the company wants, such as more expensive payment options. Settings already arranged makes it easier for the customer, making it more likely for them to use the app again

• Label: Gives information to the user but does not accept data entry. Usually located to the left of a data entry control. Labels should be clear and short
• Button: An area of the screen that, when touched, usually has a simulation of a physical button being pressed. Button ‘clicks’ are also often accompanied by a click sound or haptic feedback. An advantage of using buttons is that they would be easy to use on a mobile phone to navigate between one part of the system and another or to confirm an action, such as payment
• Frame: This is a way of grouping different controls together, usually by simply placing a rectangular outline around them. Often used with radio buttons or check boxes
• Radio button: Offer a range of options but only one can be selected at a time. This control is used when the user has to select one option out of a range. The radio buttons may be grouped in a frame and are useful in a phone app because the user does not need to do any typing and is forced to choose one option from a range
• Check box: Offers a binary choice between two options (selected or not selected). Unlike a button, once an option on a check box is selected the option chosen is easy to see. This is commonly used to show that a user has accepted terms and conditions. Check boxes are often grouped with a frame, allowing the user to make multiple choices on a particular topic. More than one check box can be selected at once

• Input box: Allows for a single line of text to be entered, such as name, address or telephone number. Gathering this type of data is important for the PDC app because users must be able to enter the delivery address of the parcel. It is difficult to provide validation on names and addresses as there is so much variation. However, phone numbers and postcodes are in a far more consistent format and it would be easy to set a rule for these
• Text box: Although there is often a limit on number of characters, a text box usually allows a lot more text to be entered than an input box. This would be useful for the PDC app for adding delivery instructions
• List box: Shows a drop-down list of options and allows either a single choice or multiple choices to be made. This is a useful control on a phone app because the customer would not have to type anything and PDC could limit the range of acceptable answers. This is a form of validation
• Combo box: Offers a drop-down list of options but, unlike a list box, only allows a single selection to be made. Usually this selection is displayed at the top and changes when a new item is chosen from the list
• Calendar date picker: Useful for the PDC app because it would allow the customer to choose a delivery date from a miniature calendar instead of typing the date, which could take longer and be more likely to contain a mistake

Data safety is to do with preventing occidental data loss through failure or destruction of equipment or accidental deletion. Data security refers to the protection of data from unauthorised access and strategies for keeping the data secure from hacking and viruses

All computers at PDC would be looked after by a designated network manager who would be responsible for ensuring that all company data was safe and secure as well as securing online transactions against hacking. For PDC, keeping data secure and keeping the computer system up and running are absolutely critical to the success of the business. Using a computer network has many advantages. However, as a business that relies on networking its computers together, PDC is subjected to threats including unauthorised access to its data by hackers, and the spreading of viruses and other malicious software. Breaches of security across a network or via the Internet are known as 'cyberattacks'

Authentication is a way that a user can identify themselves to a network. Once a worker is authenticated (logged on) to PDCs network then the network server can give them a level of access (called permissions) appropriate to their job role and can track/audit all of their actions on the system. Authentication on a network can be based on one of three main methods:

• Something that the employee knows eg, memorable information to answer personal security questions, user name, and password. This is easily entered using a keyboard and security questions are only known to the user so they can only be answered by them but the level of security depends on the user following the company password policy and using something that cannot be easily guessed
• Something that the employee possesses eg, swipe card, security token, or a mobile phone with NFC. This is a quick and reliable way for identifying the worker but it could be lost or stolen to be used by someone else to gain unauthorised access
• A physical (biometric) attribute unique to the worker themselves eg, a fingerprint, retina scan, voice/face recognition, or signature. These cannot be lost, forgotten, used by another person, or (easily) forged but these recognitions are expensive to set up and can be unreliable

PDC network managers might want to enforce a password policy on their computer network. For example, they might decide that its workers must only use a password that has at least eight characters, includes a combination of upper-case and lower-case letters, numbers, and special characters, has not been used before on the system, and changing passwords periodically. Using strong passwords provides better security. Users must also be trained not to use passwords that are too easy to guess or use each other's accounts. Single-factor authentication (SFA) is where the user can obtain access to an account or service using one authentication factor. One of the risks of using SFA is that if the same password is used for many different applications then they would all be vulnerable if the password gets hacked. Using a unique password for each application will minimise this risk

When PDC employees log into the computer system at the delivery depot a single method of authentication is adequate because the worker is already present within the building. The fact that the worker is present in the building when they log in adds an additional layer of security in itself. However, when customers log into PDC’s online tracking or booking systems they would not be present in the building and a single method of authentication would not be considered strong enough. Transactions that are financial or personally relevant need a higher level of security and PDC could achieve this by offering two-factor authentication (2FA), a security method by which users obtain access to a network system by providing two separate factors from the three authentication types to identify themselves. This greatly reduces the chances of hacking as the hacker would have to breach two different types of security in order to gain unauthorised access. 2FA is common for online banking services and involves a combination of security methods, such as entering a user name and password combination plus an example of memorable information or a random selection of digits from a memorable number. There would be a strong case for PDC to utilise 2FA as it needs to offer a high level of security to customer's details through its online systems as well as giving its customers the confidence of the extra security

One of the biggest threats to PDCs data security is poor security practices by the workers themselves. Every company should have rules and guidelines that form an AUP. If everyone working for the company is trained on the correct and consistent use of the data, then higher standards of data security can be maintained. Examples of items to be found in a PDC acceptable use policy for employees might include:

• Never allow others to use your account and password to access the system
• Always log off or lock terminals when not in use
• Never download email attachments from unknown sources
• Never install any software without authorisation
• Only use sufficiently complex passwords
• Never use removable storage devices to take data off site
• Always make daily data backups of transactions
• Always keep data backup files in a fireproof safe or in another building
• Never remove or disable antivirus software
• Never attempt to repair the computer hardware or software yourself

An AUP should also make it clear what disciplinary sanctions might be taken against workers who break the rules set out in the policy. This might include retraining or dismissal

Data storage servers should be kept in locked rooms with limited access. Only authorised PDC staff would be allowed into certain computer areas, which would be kept secure by means of locks, ID cards, magnetic swipe cards, or biometric security, such as a fingerprint reader. To prevent break-ins, data servers are often kept in rooms with no windows, or at least bars on the windows. In order to keep data safe from floods, data servers are also often located in upstairs rooms. Server rooms are usually also equipped with sophisticated fire alarms and special fire extinguishers that put out the fire without damaging the electrical hardware. The provision of a special backup electrical power supply, called a UPS (Uninterruptible Power Supply), is standard practice in most large organisations

A firewall is a software or hardware device that sits on the gateway between a network and the wider internet with the purpose of monitoring and blocking unexpected communication coming in or going out of the company network

Some of PDCs data is encoded. An example would be gender being stored as M or F rather than Male or Female. Entering data in this way not only reduces the possibility of human error from mistyped text, but also the reduced amount of data means it takes up less physical storage space. It is just as easy to understand and use the data in its encoded form as in its original form. Encoding is different from data encryption. Data encryption involves scrambling the data into a secret code. It cannot be easily understood by someone, and requires a special key in order to convert the message back into its original form (a process called decryption). Encryption is an important and widely used method of keeping data secure from hacking or unauthorised access

As data used by PDC is exchanged online, it would have to consider using secure Internet connections to reduce the chance of customers' data, such as payment details, being intercepted by hackers. It is in PDCs business interests to provide secure encrypted online services. Web page communications are normally sent using the protocol HyperText Transfer Protocol (HTTP). As this is unsecured, and can be subject to eavesdropping and tampering with the data, online financial transactions are usually sent over the secure protocol HTTPS (HTTP Secure). This provides two levels of security: encryption and authentication. Using HTTPS, data being communicated between PDC and the customer can be encrypted to make it more secure. By using a public key certificate, the PDC website can be authenticated so that customers can be assured that they are directly communicating with PDC and not someone else. A trusted certificate authority digitally signs public key certificates. The web browser used by the customer then recognises the signature of the certificate authority and allows the connection. If the web browser did not recognise the certificate it would warn the customer that there was a problem with the website and give the customer the option whether to proceed or not with the transaction

The overall term for software applications that are designed to cause a nuisance or break through security on a computer system is malware. Often people use the term 'virus' to mean all of malware but actually viruses are a subset of the malware group of programs. Antivirus software is designed to identify and block malware and is the first line of defence to defeat malware attacks

PDC should have a strategy to protect its data. The network manager should make sure that all computers and other devices have antivirus software installed that is updated regularly to fix known vulnerabilities. User permissions should be restricted to stop workers at the company installing any program files and all workers at the company should have training that enables them to recognise a potential malware attack and take actions that prevent this from happening

The main Act of Parliament concerned with data security is the Computer Misuse Act of 1990. This makes it illegal to attempt any unauthorised access to data on a computer system. The law also covers hacking (unauthorised data access by breaching security) and spreading malware (malicious or otherwise disruptive software)

• Virus: Software code that is designed to cause a nuisance or destroy software or data. Typically, viruses are installed via email attachments. The user gets an email with an attachment. The email says to click on the attachment upon clicking the attachment, the virus is installed. Viruses can only be replicated by a human action
• Worm: Malicious program such as a virus but it can self-replicate without human intervention. This makes it all the more dangerous as, once one computer is infected by the worm, it can spread itself across all the other connected computers, making it far more difficult to manage and eradicate
• Trojan: Pretends to be something useful and tricks the end user into installing it. Typically, the user browses for some software they want; say, a printer driver or PDF converter. When the link is clicked then the Trojan is installed. PDC must offer training to stop its users being tricked into installing Trojans. Also, the network manager could put restrictions in place to prevent unauthorised installation of new programs on the system by users
• Spyware: Once installed on the computer, can track what the user is doing and then send this information across the internet. Keystroke loggers are an example of this type of software as are software applications that take over the camera on a laptop and observe what the user is doing
• Adware: Infects the Internet browser application on a computer. This then forces the user to visit certain pages or causes pop-ups to appear selling unwanted goods or services
• Ransomware: Takes over a computer system and locks, and threatens to delete, all of the data contained on it unless a ransom is paid. Upon payment, the holder offers to send a key that will unlock the computer again

Hardware threats to data safety include:

• Hardware failure. Prevented by data backup and upgrading of hardware/replacement of old hardware
• Electrical surge/power outage. Prevented by UPS and surge suppressors. Optical fibre used to make network connection as they do not conduct electricity, countering lightning strikes
• Theft. Prevented by keeping servers behind locked doors upstairs with barred windows. Surrounded by alarms with authorised access only given to staff. ID badges on staff can identify intruders without them
• Floods. Prevented by keeping technology above ground level
• Fire. Prevented by fire alarms and automatic gas fire extinguishers/suppressants

Software threats include:

• Unauthorised access and hacking. Prevented with read-only files, 2FA, biometric security, firewalls, data encryption, and secure connections (HTTPS)
• Malware. Prevented with anti-virus software, policies restricting mobile data storage, and scanning email attachments

Other threats include errors by people. Prevented by giving staff training, setting out a code of conduct/AUP, placing sanctions on rule-breakers, and erasing all data when technology is disposed

The Data Protection Act is concerned with protecting the personal data of an individual. Like any organisation or business, PDC need to consider how it manages the personal data of its customer, both senders and recipients. They also must consider the personal details of their staff, suppliers, and any other subcontractors. Like many UK laws, the Data Protection Act followed an EU Directive which was put in place to ensure a common standard of legal protection across all European countries. Like most companies, the personal details of customers will be kept in a computerised database. The individuals in the database are known as the data subjects and in this case PDC is the data controller

Data subjects have the right to see any data held about them. The request must be in writing and PDC would have to provide the data within 40 days and not charge more than £10 for the service, plus up to £50 for photocopying costs. Data subjects also have the right to have any incorrect data corrected and they may seek compensation from PDC in the courts if they can prove that they have suffered a financial loss because of mishandling of their data. For example, if PDC had the wrong delivery address and persistently sent parcels to the wrong place, then this could result in a loss of business for the customer and they would be able to seek damages from PDC to try to recoup their losses

As a data controller, PDC has a responsibility to process data according to the DPA and the rights of the subjects:

• Data must be processed fairly and lawfully: PDC must make a statement in its terms and conditions of service that tells every customer what will happen to their data and how their data will be processed. A way of making customers aware of this is to provide a check box on any online forms that confirms that the customer is happy for PDC to process their data. Alternatively, a specific question needs to be asked every time someone signs up on the telephone or places an order in person
• Data shall be used for one or more specified and legal purposes: When PDC set up its business, it had to register with the Office of the Information Commissioner and inform them what it wanted to use its customers' personal data for. The data must only be held and used for the reasons given to the Information Commissioner. For example, some companies make money by selling the details of their customers to others. PDC would not be allowed to sell its customers' data unless it had already registered to do so with the IC
• Data shall be adequate, relevant, and not excessive in relation to the purposes for which the data is kept: For example, PDC would need to only store customers' details actually needed for the purpose of conducting its business. This would include customers' names, addresses, contact numbers, email addresses and bank details. PDC would not have to store or process any of its customers' sensitive personal data, as this would not be relevant to the business of delivering parcels. Sensitive personal data is information such as religion, race, and medical conditions. In law, data subjects have to be given the opportunity to give explicit consent for sensitive data to be processed, but this would not be needed by PDC so they wouldn’t have any reason to have it

• Data shall be accurate and where necessary kept up to date: As well as a fulfilling a legal requirement, it would make good business sense for PDC to ensure that all of the data it stores about its customers is accurate and up to date. For example, customer details that are misspelt or poorly capitalised look unprofessional and PDC would quickly lose business if it sent parcels to an old or incorrect address. It would also be wasteful to keep records of customers who have moved on or cease to use the delivery service so these would have to be archived. Strategies for making sure that data is accurate and up to date include validation systems built into PDC’s data storage in order to make the data more sensible and in the correct format eg, having a rule that checks that phone numbers always have 11 numbers. PDC could provide an online service that allowed customers to create an account and then update their own details and could also regularly send emails or letters to ask customers if the data held was up to date
• Data must not be kept for longer than necessary: If PDC found that a customer had not ordered a delivery for a few years, it should assume that the customer was no longer active and would have no reason to keep any details relating to that customer
• Data must be processed according to the rights of the data subjects: PDC’s customers have the right to see their own data and have any mistakes corrected and for this to happen within 40 days and at minimal cost. Therefore, any of PDCs systems must be set up in such a way that any data can be easily found, printed off, corrected, or deleted within the limitations set out in law

• Data must be kept safe from accidental damage or deletion and secure from unauthorised processing: PDC is obliged by law to put security measures in place when it stores and processes personal data. This includes keeping the data backed up and safe from unauthorised access. PDC would have to put in place a formal backup procedure, such as backing up files to another server, tape backup or investing in a cloud-based backup solution. PDC would need to ensure that its data storage systems were secure by encrypting the data or installing a firewall. Company policies and procedures would need to be in place and all of the staff should be trained on how to apply them
• Data may not be transferred to a country outside of the European Economic Area unless there is equivalent data protection in place: In some cases, PDC might handle international deliveries, perhaps passing the packages on to another delivery company in a foreign country to handle the remainder of the onward delivery. If any personal data is passed to a company outside of the European Economic Area then the law states that PDC must ensure that the data is processed and stored with the same level of security as it would have been had it been processed purely within the European Union