4.3.5 ICT Security Policies

Question 1

what are the threats to an ICT system? (expansion)

Answer 1

• Terrorism: cyber attacks to slow down or prevent online services results in loss of reputation
• Natural disasters: Earthquakes result in loos of power, damage ICT systems caused by building collapse results in high costs of recovering data
• Fire: electrical fire in building, power sockets overload, unsafe wiring results in the loss of business and income
• Theft by hacker/employee: hacking into data to steal company private details results in legal action

Sabotage: attacks on firewalls by viruses to destroy data results in loss of business and income.

Question 2

what consequences for data misuse

Answer 2

• Loss of business and income
• Loss of reputation
• Legal action

Question 3

what are the factors to take into account when designing security policies?

Answer 3

Physical Security:
-the need to restrict access to equipment
-the need to restrict access to storage
medium

Software Security:

• use logins and passwords to restrict access to computers
• use level of access to certain programs, files and data

Physical Methods:

• Controlling access to the room; by using keypads on the doors, bio metric methods
• Controlling access to the building; security guards, logging people in and out
• Using Security cameras in computer rooms

Personnel Administration:
Training: staff are less likely to disobey the code of conduct and less likely to make mistakes
Fitting the employee to the task: ensuring that the employee knowledge and skills match the task they have to complete

Question 4

Factors to take into account: Physical Methods

Answer 4

• controlling access to the room -by using keypads on the doors
• controlling access to the building -security guards, logging people in and out
• using locks on computers-to prevent them from being switched on
• locking the computers away
• using security cameras in computer rooms
• use of device to prevent removable media being inserted
• fireproof safe for storage of data

Question 5

Factors to take into account: System Access

Answer 5

Login Procedures: a user name is used to identify each user of a network. This allocates storage area and file access

Access rights; restricts user’s access, network manager allocates them e.g different levels to files READ ONLY, READ/WRITE etc.

Firewalls: controls the data traffic between networks and looks at each packet of data to see if there is anything about the data that breaches the security policy.

Question 6

what are the operational procedures for misuse? (used to minimize or prevent threats)

Answer 6

Screening potential employees:

• ensure staff are controlled
• fit employee to the task
• CRB checks

Establish procedures for training staff: who/what/when

Login Procedures:

• Allocating access rights
• change passwords regularly
• don’t write passwords down
• use upper case and lower case

Establish a disaster recovery programme:

• who does what and when, including checking the standby equipment
• backup plans i.e how often

Setup auditing procedures to detect misuse:

• Who/What/When
• continuous investigation of irregularities
• query any transaction out of the ordinary

Question 7

method of keeping records secure -user accounts and logs

Answer 7

Auditing keeps records of;
-who is logged on and where
what
-what files have they accessed 
-details of changes and details of programs they have used and made
-when they logged and off.

Question 8

A multinational bank is carrying out a risk analysis. Other than the risks themselves,
describe in detail three of the factors the company should take into account when
deciding how to minimise the risk to data. 2016

Answer 8

Likelihood of risk occurring:

• some things such as power cut are inevitable but explosions much less likely
• senior managers have to assess the likelihood of each risk occurring and put in the necessary security

Short and long term consequences of :threat
-resources (staff, equipment, etc) need to be directed towards recovering the data / may have to pay compensation / financial loss due to loss of business through not being able to sell mortgages, loans etc.

How well equipped is the company to deal with the threat:

• (What procedures are in place)
• has to be reviewed periodically because of changing needs
• disaster recovery programme
• backup strategy
• cost (how much they are prepared to spend), use of firewalls - use of anti virus

Question 9

what are the types of prevention of accidental misuse?

Answer 9

Backup and recovery -Procedures
-Standard backups to
floppy disc
-RAID systems - mirror discs (Redundant Array of 
Inexpensive Disc)
-Grandfather, Father, Son systems
-Backing up program files.

Question 10

what can be done to prevent deliberate crimes or misuse?

Answer 10

• Methods for controlling access to computer rooms
• Methods of securing integrity of transmitted data e.g.
• Establish firewalls
• Proxy servers
• Methods to define security status and access rights for users
• Methods for physical protection of hardware and software
• Security of document filing systems

Question 11

what are the factors that determine how much a company spends to develop control/minimise risk

Answer 11

• Likelihood of risk occurring
• Short and long term consequences of threat
• How well equipped is the company to deal with threat

Question 12

“Organisations are aware that data can be lost due to accidental misuse. Explain different methods that the organisation could use to prevent it.” June 2016

Answer 12

Backup and recovery procedures: procedures for backups, where to keep backups, scheduling backups

Backup storage devices and media: magnetic tape; magnetic disks; flash pens

RAID systems:
Clustering; grandfather/father/son system