Security of ICT systems

Ref:

Data Protection Act (1998)

• Personal data must be obtained fairly and lawfully. The data subject should be informed of who the data controller is (the institution); who the data controller’s representative is; the purpose or purposes for which the data are intended to be processed; and to whom the data will be disclosed. For students this is done by the University during registration. Personal data processing may only take place if specific conditions have been met- these include the subject having given consent or the processing being necessary for the legitimate interests of the data controller. Additional conditions must be satisfied for the processing of sensitive personal data, that relating to ethnicity, political opinion, religion, trade union membership, health, sexuality or criminal record of the data subject.
• The new Act covers personal data in both electronic form and manual form (e.g. paper files, card indices) if the data are held in a relevant, structured filing system
• Personal data processing must be in accordance with the purposes notified by the University to the data protection commissioner- if any ‘new processing’ is to take place the Data Protection Representative, must be consulted
• Personal data must be kept accurate and up to date and shall not be kept for longer than is necessary
• Appropriate security measures must be taken against unlawful or unauthorized processing of personal data and against accidental loss of, or damage to, personal data. These include both technical measures, e.g. data encryption and the regular backing-up of data files and organizational measures, e.g. staff data protection training
• Personal data shall not be transferred to a country outside the European Economic Area unless specific exemptions apply (e.g. if the data subject has given consent) this includes the publication of personal data on the internet

Ref:

Official Secrets Acts (1911-1989)

Computer Misuse Act 

The Computer Misuse Act was introduced in 1990 to secure computer material against unauthorized access or modification. Three categories of criminal offences were established to cover the following conduct:

1. Unauthorized access to computer material (basic hacking) including the illicit copying of software held in any computer.

• Penalty: Up to six months imprisonment or up to a £5,000 fine.

2. Unauthorized access with intent to commit or facilitate commission of further offences, which covers more serious cases of hacking.

• Penalty: Up to five years of imprisonment and an unlimited fine.

3. Unauthorized modification of computer material, which includes:

• Intentional and unauthorized destruction of software or data.
• The circulation of "infected" materials on-line.
• An unauthorized addition of a password to a data file.

• Penalty: Up to five years of imprisonment and an unlimited fine.

You must not:

• Display any information which enables others to gain unauthorized access to computer material (this includes instructions for gaining such access, computer codes or other devices which facilitate hacking).
• Display any information that may lead to any unauthorized modification of computer materials (such modification would include activities such as the circulation of "infected" software or the unauthorized addition of a password).
• display any material which may incite or encourage others to carry out unauthorized access to or modification of computer materials 

Ref:

The Police and Criminal Evidence Act (1984)

The Police and Criminal Evidence Act (PACE) and the PACE Codes of Practice provide the core framework of police powers and safeguards around stop and search, arrest, detention, investigation, identification and interviewing detainees.

PACE sets out to strike the right balance between the  and the rights and freedoms of the public. Maintaining that balance is a key element of PACE.

Ref:

Crime and security act 2001

The Anti-Terrorism, Crime and Security Act 2001 was formally introduced into the Parliament of the United Kingdom on 19 November 2001, two months after the terrorist attacks on New York on 11 September. It received royal assent and came into force on 14 December 2001. Many of its measures are not specifically related to terrorism, and a Parliamentary committee was critical of the swift timetable for such a long Bill including non emergency measures.

On 16 December 2004 the Law Lords ruled that Part 4 was incompatible with the European Convention on Human Rights, but under the terms of the Human Rights Act 1998 it remained in force. It has since been replaced by the Prevention of Terrorism Act 2005.

Ref:

• Schools should keep data safe by having a password
• Internet security

TASK 3 (P3, M1, D1)

The third part of your report will be about your recommendation as an expert.

You will need to:

List the measures you would put in place to protect data in a general context (not only school). (P3) (What would you do to protect data in School i.e. Passwords on systems, LAN School?, CCTV etc)

For this task it may be better for you to create a table:

Ref: GenDATA\ICT\BTEC\Student Resources\Year 11\Unit 17

Identify/list appropriate security measures for the school. (M1)

Security considerations

If you are asked to take responsibility for ICT security, you should remember the range of

Measures available to you:

1. Physical security measures, such as:

• CCTV

• Keypad locks

• Building passes

2. Logical security measures, such as:

• Anti-virus protection

• Firewalls

• Adware protection

• Spyware protection

• Encryption software

• Passwords and access codes.

For each recommendation, explain the reason why you need to put this in place. (D1)

CCTV

If for example some one breaks into the premises and attempts to thieve property. The concept is that these cameras will be active at all times and will record computer access, use and the general comings and goings in a designated environment.

Keypad locks

Keypad locks, for example, can either be activated by a single key press sequence used by all users, or can require each user to have a different number. In the event that users have their own unique numbers, this information can be recorded and stamped with the date and time of access

Keep out people who might be un-trust worthy. Only those who are allowed to access the area that is normally restricted to others will be allowed to enter.

Building passes

Sometimes working alongside a keypad lock, swipe cards are also increasingly used. These cards carry detail in the magnetic strip, and, providing the correct information is read from the strip, the lock will release. These are often used to gain access to particular parts of buildings where not all staff are allowed.

.Keep out people that do not attend the school, therefore keeping its, staff, pupils and property safe

Anti-virus protection

Anti-virus software can identify and block many viruses before they can infect your computer.

Firewalls

Firewalls provide protection against outside attackers by shielding your computer or network from malicious or unnecessary Internet traffic. Firewalls can be configured to block data from certain locations while allowing the relevant and necessary data through. Keep hackers and identity thieves from accessing your computer.

Adware and spyware protection

Adware is another invasive product, which effectively keeps displaying advertisements whether the user wants them displayed or not.

To protect against invasion by spyware and adware programs, programs that can identify and destroy these often irritating software applications can be downloaded and installed. These include:

• NoAdware Ad-Aware

• Javacool Software Spyware Blaster 3.5.1

• StopZILLA Spyware Remover 4.0

• Microsoft Antispyware Beta 1

Encryption software

Encryption software is a popular tool used to protect data from prying eyes. Some forms of encryption are extremely complex and exceptionally difficult to break.

E.g. PGP (Pretty Good Privacy), invented by Phil Zimmermann, is popular for encrypting data files and email – it is often described as a military-grade encryption algorithm because of its complexity.

Passwords and access codes

Passwords and access codes are commonplace. It is likely that you will have a username and password to log on to your school or college systems. A password or access code is a sequence of characters, numbers or a combination of characters and numbers that a user keys in to gain access to a specific computer or network. This code should be secret (not given to anyone else) and should be something that another person is unlikely to be able to guess.

Task 4 (M2)

In the fourth part, explain with examples how an individual in an organisation can contribute to the security of data.

There are numerous ways how an individual in an organisation such as Microsoft the security of data. Firstly he can set a password to all the computer programs contain delicate information, they access at home. The individual must also make sure to change their password on a regular basis, perhaps, once a week or every forth night. They should also be careful not to give passwords away to anyone who does not work to the organisation even if they are a family member. The should not misplace their key passes, as this should let it end up in the wrong hands and possibly cause the company some damage financial, etc. Private information about the companies, e.g. bills and memos should also be shredded if not needed using a diamond shredder or kept locked up in a case space where others can not access, preferably locked with a key pad.