GCSE I.T Security Case Study - Riverside Leisure Centre
Riverside Leisure Centre's Security Measures
GCSE I.T Security Case Study
Background Information
Riverside Leisure Centre is situated in Chelmsford, Essex and is owned by Chelmsford Borough Council. They have had only one reported unauthorised entry to the complex in the last five years.
The complex contains three swimming pools, an outdoor, heated indoor and a toddler indoor. It also has a Techno gym, ice rink, sports hall, licensed bar and a children's indoor play area. Due to the wide range of activities available, Riverside has a lot of visitors to it's complex. The bigger the crowds attracted, the bigger the risk of the security of customer's and employee's data being misused by unauthorised members of the public. This therefore calls for a good quality security system, both physically and via software.
Having analysed the security systems at Riverside, with the help of answered questionnaires from the centre's management and from sketches of the leisure centre itself, I have noticed that there is a good quality system in use here. In this case study I will explain the methods, advantages and disadvantages of the current system and make recommendations on how to make the leisure centre more secure.
Software Security Of Riverside
Passwords
Riverside uses a password log on system on all computers within the centre. Each employee has it's own username and password to log on to the computer, which holds data. This makes it impossible for intruders to log on to the computer without having access to an employee's user name and password. This is useful because it prevents unauthorised access but also allows management to pinpoint who has been on the computers at any one time. If an employee told an unauthorised person their username and password and that person obtained data from the computer, management could see exactly which employee had loaned their username/password and deal with them appropriately.
Riverside also operates a hierarchy system when using passwords to access data. If the system holds some high security data the system is able to block certain users (even authorised system users) from accessing it. This means that management get to see high security data exclusively and therefore reducing the risk of it falling it to the wrong hands.
Policies of Shareware/Freeware
Riverside does not download freeware or shareware from the Internet as it recognises the dangers of hidden viruses in the attachments and programs themselves. These programs are often not certified and therefore if downloaded, crucial files may become corrupt as a result of a virus being let into the system this way.
Data Protection Act
Riverside also abides by the Data protection Act (1998 as amended). The Act is in place to protect the data held by the data user (in this case the data held will be addresses, bank details, fitness levels of customers and the data user will be Riverside). There are eight principles to the Data Protection Act, as was there in the 1984 version. The only difference between the 1984 version and the amended version of 1998 is that the 1998 version has been widened to include data that is stored on computers and can easily be transferred to another country by use of email.
Principles of the Data Protection Act
The following principles will apply to Riverside when it is using the data it has collected from customers.
/Personal data must be processed fairly and lawfully and at least one of the processing conditions is met, and in the case of processing the data must be processed fairly and lawfully and at least one of the conditions for processing sensitive personal data is met.
The conditions for each of these categories would usually be that the subject has given consent.
Personal data processing conditions:
The subject's consent may not be required if the processing is to protect the subject as in the case of urgently retrieving a subject's medical record after a serious accident, or for the administration of justice, or to comply with legal obligations, or in the public interest.
Processing conditions
The subject's consent may not be required if:
* The Data Controller has legal obligations to process the subject's employee data
* or if the data subject is unable to give consent, e.g. unconscious
* In order to protect the vital interests of the data subject or another person
* In a case where consent on or behalf of another person has been unreasonably withheld, e.g. parent's religious beliefs preventing their child's right to hospital treatment and life.
* Or where processing is necessary for legal reasons, e.g. obtaining legal advice, exercising or defending legal rights, for the administration of justice.
Or
* The processing is carried out as part of the lawful activities of any non-profit making political, philosophical, religious, or trade union organisation. The processing must safeguard the rights and freedoms of the data subjects. It must be limited to members or persons in regular contact with the organisation and it must not disclose any personal data to others without the data subject's consent.
Or the Secretary of State may specify cases where this condition is excluded or modified, e.g.
* Where the processing is necessary for medical purposes
* Where sensitive personal data is necessary for monitoring equal opportunities for people of different racial or ethnic origins and is carried out with the usual safeguards for the rights and freedoms of data subjects.
2/Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. There are ...
This is a preview of the whole essay
Or the Secretary of State may specify cases where this condition is excluded or modified, e.g.
* Where the processing is necessary for medical purposes
* Where sensitive personal data is necessary for monitoring equal opportunities for people of different racial or ethnic origins and is carried out with the usual safeguards for the rights and freedoms of data subjects.
2/Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. There are two methods that a Data Controller may use to specify the
purposes for which personal data are obtained:
By informing the data subject or,
By notifying the Data Protection Commissioner.
This is in addition to notification (registration). All controllers must notify and pay the notification fee.
3/Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
This is similar to the 1984 Act fourth Principle but the new wider definition of processing is now applied.
Organisations are required to state the purpose for which data is processed and cannot process it for any other purposes without further notification.
A dating agency may collect and process data for the purpose of matching compatible people. They cannot then use that data to identify prospective punters for a sideline in cosmetic surgery, unless they notify the data subjects or the Commissioner of their intention.
4/Personal data shall be accurate and where necessary, kept up to date.
Data Controllers must take reasonable steps to ensure the accuracy of the data. At school, students are frequently given their personal details to take home and check. They are given the opportunity to change any out of date or incorrect data.
Other organisations carry out similar checks at regular intervals. This task costs the organisation money for clerical staff to print out the details, collect them in again and edit the records to bring them up-to-date but is necessary by law.
5/Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Example: Data may be collected from applicants for a job. That data can only be stored for the period of assessment, interview and selection. After that it should be discarded. Personal data shall be processed in accordance with the rights of data subjects under this Act.
A data subject is entitled to make a written request to the data controller (accompanied by administration fee) and be given details of their data within 40 days.
This will consist of:
A description of their data, What it contains the purposes for which it is being processed, Why it is being processed people to whom it may be disclosed, Who is allowed to see it the name of the organisation that is actually carrying out the processing of their data. Which organisation will perform the processing? Data subjects have the right to have inaccurate data amended or deleted.
They also have new rights of:
* preventing processing that is likely to cause damage or distress and to sue for compensation if damage or distress has been caused.
* they can prevent processing for direct marketing purposes, so anyone can stop the arrival of personalised junk mail by writing to the data controller.
* they are entitled to be informed of the logic used in automated decision making, e.g. obtaining a mortgage depending on a calculation involving salary, credit worthiness and other details.
they have the right to ask the Commissioner to check whether certain processing of their data is being carried out unlawfully.
6/Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Data must be kept private and secure. This means that the data controller must ensure that data is backup up regularly, virus checked, and restricted to named authorised persons by means of passwords or other means. Any data processors that a data controller may use for processing their data must be professional enough to guarantee the privacy and security of the data. It is also the data controller's responsibility to ensure that the data processor carries out the processing as specified according to an agreed contract.
7/Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The European Economic Area is currently the member countries of the EEC plus Iceland, Liechtenstein and Norway.
There are certain circumstances where the Eighth Principle does not apply to a transfer of data. They are:
* The data subject has given consent to the transfer
* As part of a contract between the data subject and the data controller
Or, the transfer is necessary
* In the conclusion of a contract between the data controller or is in the data subject's interest, or
* For reasons of substantial public interest. The Secretary of State can order and explain such a transfer, or
* For legal reasons, such as advice, legal proceedings or defending legal rights, or
* The transfer is part of the personal data on a public register
* The transfer has been authorised by the Commissioner and ensures adequate safeguards for the rights and freedoms of data subjects.
8/ Personal data held for any purpose or purposes shall not be disclosed in any matter incompatible with that purpose or those purposes.
(Principles obtained from www.the-data-protection-act.co.uk)
The Data Protection Act gives us the right to access our own personal data that a company holds about us, and also gives us the right to correct it if it's false. The right is also given to complain to the Data Protection Registrar if the data has been collected or used in any way that is disrespectful, unlawful or unfair.
Registration
The data user (in this case Riverside) must register the intended use, details of the personal data held, the ways in which it may be passed and to whom it may be passed and whether or not it may be transferred from country to country, if yes, which countries. This is filled in on the registration form given by the Data Registrar and is then sent off, along with a fee for registration (around £70). This must be done before information is used because unlawful usage of data possesses a £5000 fine in a magistrate's court and an unlimited fine in a High court. If a person suffers due to unlawful usage of data they also can claim compensation from the company and the courts, adjusted with the severity of the case, decide this amount.
Exemptions to the Registration
There are exemptions from the registration. If the company/data user falls under one or more of the following categories then the registration is not applicable.
/When your data is being used only in connection with personal, family or recreational use.
2/Where data is used only for the preparation of text documents.
3/Where the data is being used only for the calculation of wages and pensions, or for the production of accounts.
4/Where the data is used for the distribution of articles and information e.g. unsolicited mail (i.e. mail which advertises goods or a service you have not requested).
5/Where a sports club or a recreational club that is not a limited company holds the data.
These exemptions include Riverside as they are a, " sport or recreational club which is not a limited company". We know they are not a limited company as limited companies (both private and public) belong in the private sector. Riverside, however, is in the public sector as it is owned by a local government (Chelmsford Borough Council). This exempts them from having to register with the Data Registrar, however, they still must abide by the principles of the act to avoid prosecution.
According to the questionnaire I carried out, all Riverside staff that have access to the data are fully educated on the principles of the Data Protection Act.
Recommended software security measures that Riverside could operate in the future
Firewalls
Riverside could use firewalls when accessing the Internet. A firewall is a program that can be installed onto the system to protect itself against the user doing any damage to it. It restricts the user from entering parts of the system. These are particularly useful if the system has access to a dial up connection, either to access an e-mail provider or the Internet, as things can be downloaded and can cause havoc with the system if they contain a virus etc. Firewalls also can control incoming call ID's to the system and can block ID's if they don't fit into a pre-specified category, which prevents computer 'hackers' from gaining access to the system. This controls, although doesn't block altogether, the threat of viruses and unauthorised access to the data. However, such a program does have one main disadvantage
Anti-virus Software
Surprisingly, Riverside's systems are not yet equipped with anti-virus software. This would be a good investment as a good quality program such as McAfee or Norton Anti-Virus can detect most known viruses and can delete them and clean the system in a matter of minutes. However, this kind of software is only worth investing in if time is taken by the user to run it regularly or set it into an automatic mode so it can detect the viruses.
Encryption
Riverside could also encrypt data that it passes through the Internet or their own Intranet or LAN. Encryption codes the data at the sending end so that if it is intercepted between it's start off point and it's destination no other person other than who it is intended for can read it. No one else can read it as only the data receiver has the decoder. Once the data receiver receives the encrypted data, it can be decoded by applying the decoder to the message and then it can be read normally. This prevents any unauthorised viewing and is a good way to make sure secure data does not fall into the wrong hands. The encrypter and the decoder are stored on the computer's memory so they cannot be lost or forgotten.
However, if the computer is stolen then the next user can carry on encrypting or decoding messages and this would prove not very secure. To overcome this problem you could either:
* Make sure the computer is surrounded by physical security and therefore cannot be stolen.
Or
* Add a password to the encryption process so that the next user has to know the password to activate the encrypter or decoder.
Back-Up Disks
Another way to insure that the data on Riverside's computer system is secure is to make back up disks of everything on the computer. This means if a virus distorts the
data, the computer crashes, the disk that holds the data is lost, stolen or destroyed or if you even accidentally delete the document then there is always a back up at hand. To do this you simply save any important documents on a 3 1/2 " floppy disk and keep in a safe place.
Physical Security
As well as protecting the data from potential viruses and unlawful use via software security, Riverside also realises it has to protect itself by physical use also. The following security measures are currently in operation at Riverside.
Locks
All rooms that contain computers are locked with pin code locks. If a wrong pin code is entered more than three times on the pad of these locks, the alarm is activated. The alarm will then alert the security guard on duty that an unauthorised person is trying to get into the computer room. All staff which need to know the pin code to access the computer have been told the in code but staff which do not use computers as part of their daily routine do not have access to the pin code. This is particularly useful as it deters unauthorised people from trying to break in if they know the alarm will be activated.
Turnstiles
At the Riverside entrance there is an obvious physical security measure as they have turnstiles so you can only get into the complex by the receptionist pressing a button to unlock the turnstile. This prevents anyone suspicious from getting into the complex and therefore reduces the risk of any harm coming to its customers and their computer systems.
Uniforms
Also, staff in the complex wear uniform so they are easily recognisable from a member of the public. This means that if a member of the public is seen in a restricted access area they can easily be recognised from staff and therefore can be effectively removed before any damage is done.
CCTV
Closed Circuit Television (CCTV) is also used on the premises. CCTV uses cameras around the complex (they are concealed in Riverside so potential intruders do not know where to find them) and these cameras are all linked back to a main control room. These rooms contain security workers scanning the images from all the cameras on the televisions on which they are shown for possible intruders.
CCTV in Riverside has a main control room somewhere in the complex (for security reasons I couldn't find out where it was) and has 37 cameras around the complex. The cameras used in Riverside are moveable so the can turn and cover a much wider spectrum and therefore they are able to use one moveable camera to cover the space that three or perhaps four stationary cameras could cover. Therefore, moveable cameras are more cost effective than stationary ones. However, there are disadvantages to using this kind of camera- these are shown below.
* If one breaks down then a wider space is not being covered. If a stationary one broke down then there would be only a little space that wouldn't be covered.
Fireproof Doors and Gas looding
Riverside also uses fireproof doors to prevent damage to the computer systems in case of a fire. These doors are made of metal with a high melting point so however hot the fire the door will not let the fire in. They also use a gas flooding system. If the fire alarm is activated (the fire alarm is run by a temperature sensitive sensor) then carbon dioxide gas is let out of air vents in the ceiling of the computer rooms as each temperature sensor goes off to warn about a fire. This facility is turned off for routine fire alarms and is only activated when the temperature is way above normal body heat so therefore can not be set off by a hot room.
When surveying the site I noticed that there was only one entrance to the complex. This narrows down the ways that intruders can enter the building and also is more cost effective as they don't have to have security equipment anywhere else, as there are no other entrances.
Also, when I walked around the outside of the complex I noticed that there is barbed wire at the top of all high walls around the complex so it would be difficult and painful, if not impossible to enter the building by climbing over the walls.
Also, when I walked past the staff car park I noticed that all cars parked in there had the same badge in the windscreen, therefore it must be an access badge to park in the car park. Also, there is a kiosk with a barrier that is lowered whilst the security guard checks the windscreen badges and is only highered to let the car in when the guard has seen the security badge.
Suggested Measures of Physical Security for Riverside
As well as the impressive current physical security measures of Riverside they could also utilise the following measures to make sure their data stays secure.
They could lock and bolt all computers to the desks so they cannot be forcefully taken from the desks.
They could buy computer systems with removable hard drives (where all the data is stored) so that they can take the hard drives out of the system after use and lock them in a safe etc. This would mean if the computer systems were stolen then the data wouldn't be lost and it would not have fallen in to the wrong hands.
More security alarms could be used. There is already a temperature sensor in case of a fire in operation but there is no movement sensor in case of a break in. These are not very expensive and can quickly alert the police of a break in.
Security alarms could also be used on all emergency exits so that if they are opened with force the alarm will be triggered and the intruder will either be scared off or caught before any damage is done.
They could also put a UV coding (a code which is not visible to the human eye but when it is scanned with Ultra violet light then the code can be read) on all hardware and peripheral devices. This ensures speedy return in the case of them being stolen and recovered by the police.
Conclusion
In conclusion, I have discovered that the physical security of Riverside is very good. They are currently utilising 10 out of 14 of the physical security measures I suggested and the statistic of only one unauthorised entry to the complex in five years (Chelmsford Borough Council 2001) proves that the measures are working as they should be. The following list shows the advantages of the current physical security system:
* Secure
* Some measures are inexpensive, such as high walls, barbed wire, barriers at car park and turnstiles at entrance etc.
* Mostly manually operated or force operated. This is better than if it was automated because mistakes are rare and shifts are operated so workers are constantly awake and 'on the ball'.
To every good system there is a downside. Here is a list of disadvantages to the current physical security system.
* The automatically operated systems such as CCTV or the alarms may be vandalised etc and this may stop them from working.
* Some parts of the system are expensive such as CCTV, alarms and fireproof doors. CCTV is still cost effective as it used frequently but fireproof doors may never get to prove themselves, as fires are rare.
However, the software security of Riverside is only average. It only operates 4 or the 8 software measures I suggested. There is one highlight of the software security system, this is that they abide by the Data Protection Act (1998) even though they are exempt by the rule that says, "Where a sports club or a recreational club that is not a limited company holds the data." We already know that Riverside is run by the council and therefore is not a limited company so it exempt. However all employees have knowledge of the Data Protection Act and therefore are preventing themselves from getting persecuted.
I did expect them to use virus protection on their computers and the fact that they didn't means that they were easily susceptible to viruses that would have distorted their data. I strongly recommend that they get an anti-virus program to protect themselves.
The following is a list of the advantages to the software security system currently in operation at Riverside:
* It is legal and understands the laws that are applicable to them and the use of the data that they possess.
* The password system prevents any unauthorised access to the system unless one of the employees tells of their password.
* If an employee tells this, it is easy to pinpoint who has done it as their area password would have been used and it can be tracked.
* It recognises the use of freeware/shareware can be damaging to the system.
* The hierarchy system only lets top management view the most secure documents.
* Cost effective
The system also has its downfalls; here is a list of the disadvantages to the system.
* No virus scanner was in use, leaving them open to viruses transmitted from the Intranet, LAN or Internet.
* No encryption of data was being used and therefore important data may be viewed by unauthorised people whilst in transit between destinations.
* Firewalls were not in operation therefore the door to untrained employees is left wide open to access potentially damaging parts of the computer's hard drive or Internet.
* Cost effective but not secure enough to prevent data being exposed.
This concludes the case study on Riverside Ice and Leisure and it's security systems. The recommendations for a new system are shown with the analysis of the systems and these may well be put into place by Riverside in the near future.
The evidence I used to put together this case study is shown in appendices on the next page.
Claire Wyatt
7221
