LO6 security and protection

Question 1

what are the three security principles? 6.1

Answer 1

confidentiality, integrity and availability

Question 2

which act are the three security principles protected by? 6.1

Answer 2

data protection act 2018

Question 3

what does it mean by confidentiality? 6.1

Answer 3

Information should only be accessed by individuals or groups with the authorisation to do so.

Question 4

how to uphold confidentiality 6.1

Answer 4

protection measures like usernames and passwords = only authorised people can access the sensitive data. Tiered levels of access or permissions limit who has access to data.

Question 5

what does it mean by integrity? 6.1

Answer 5

Information is maintained so that it is up to date and fit for purpose.

Question 6

how to uphold integrity 6.1

Answer 6

regular data maintenance to update information (e.g. confirm contact details once a year). If storing data in a spreadsheet or database, record-locking should be used so that only one person can edit at a time, preventing the data from becoming incorrect.

Question 7

what does it mean by availability? 6.1

Answer 7

Information is available to individuals or groups that need to use it. Only be available to the authorised.

Question 8

how to uphold availability 6.1

Answer 8

staff = correct privileges to easily access data when required. Data could be stored online, e.g., in cloud storage = available remotely using an internet connection.
Data must be safe from unauthorised access. additional copies of information shouldn’t be made, can be lost or stolen.

Question 9

name potential risks 6.2

Answer 9

unauthorised access to data, accidental loss of data, intentional destruction of data, intentional tampering with data

Question 10

unauthorised access to data 6.2

Answer 10

data should only be viewed by individuals with authorisation, espionage and poor information management can occur due to unauthorised access.

Espionage = collecting data so that it can be used against an organisation - e.g. a competitor acquiring information about their rival’s product before it is launched publicly.
poor information management strategies = If in place and data is insecurely stored or too many people have access to sensitive information can probably be viewed by unauthorised persons.

Question 11

accidental data loss 6.2

Answer 11

Data loss = information being irreversibly lost, copy and the original version so it cannot be accessed as any format. e.g. accidental data loss = equipment failure or a technical error can lead to data corruption, like a database crash or hard drive failure.

Human error = an employee might accidentally delete a file or discard an important paper document without realising it.

Question 12

intentional destruction of data 6.2

Answer 12

= the act of purposely damaging an organisation by deleting or denying access to data. e.g. viruses that corrupt data so that it can no longer be used and targeted malicious attacks such as DDOS (distributed denial of service) attacks ransomware. Ransomware encrypts files so that they can only be accessed again when certain criteria have been met, usually, the affected group has to pay an extortionate fee.

Question 13

intentional tampering with data 6.2

Answer 13

This is when data is changed and no longer accurate. This could occur through fraudulent activity such as hacking to change information displayed on a webpage. An example is if a student or teacher changed exam answers for a better grade. A business example is if a company tampered with financial data to display larger profits and smaller losses than real figures, to boost investment or please stakeholders.

Question 14

what are some impacts when data is lost? 6.3

Answer 14

loss of intellectual property, loss of service and access, breach of confidential information, loss of third-party data, loss of reputation, identity theft, threat to national security

Question 15

what is intellectual property? 6.3

Answer 15

anything that an organisation or individual has designed, developed or created themselves

Question 17

impacts of intellectual property loss 6.3

Answer 17

The impact of having intellectual property lost depends on the property itself and how easy it would be for the victim to recreate or recollect the data. Competitors that stole intellectual property could use it to their advantage. Also, the effect of an upcoming announcement to the public would decrease if it was leaked ahead of time.

Question 18

impacts of loss of service and access 6.3

Answer 18

If usernames and passwords are stolen = unable to access services that they have paid for

an example being if WIFI details were stolen so that a hacker can access the internet using someone else’s account. If a hacker is permitted access to a system they can change the account settings such as the password to lock out the original owners of that account, leaving them without access.

Other services can be targeted with malicious attacks like a DDOS attack so that users cannot log into a web page or online service. If users cannot access an account they may use alternative methods and providers, such as avoiding one type of cloud storage provider that has let them down and choosing another.

Question 19

impacts of breaches of confidential information 6.3

Answer 19

Confidential information is highly sensitive and could lead to other negative impacts if it gets into the hands of unauthorised people. Confidential information, such as medical histories, should be stored securely with multiple physical and logical protections in place to ensure that it keeps its integrity.

If confidential information was breached then it could lead to a loss of reputation as the holder would be regarded as ineffective at protecting data. Legal consequences would also follow as the Data Protection Act 2018 would be broken; fines, court cases and imprisonment would be possible further impacts. An organisation would expect to see penalties from the information commissioner’s office if they failed to protect personal details by breaking the DPA.

Question 20

impacts of the loss of third-party data 6.3

Answer 20

Many organisations will store data not only for their own purposes but for other individuals and businesses too; a key example being cloud storage providers. Users can store data on public cloud servers such as google drive or drop box ad access their information using the internet from any network device they please,

If services like cloud storage services are hacked or taken offline (e.g. because of an attack or network problems) and data is lost then customers, especially those that pay, will be furious. This will lead to a loss of reputation, trust and even legal proceedings if personal and sensitive data is lost. Larger businesses will use private cloud storage, hosted in data centres that they maintain themselves, to avoid relying on third parties.

Question 21

impacts of loss of reputation

Answer 21

Failing to keep data safe means that an organisation has been unable to follow their legal and moral duty of keeping information secure and could lead to a loss of trade, resulting in reduced earnings and sales.

Question 22

impacts of identity theft 6.3

Answer 22

If an individuals personal data is stolen by attackers then one impact is identity theft - when the attacker uses the victims data for fraud or impersonation. Identity theft can lead to financial loss to the victim if loans, products or services are purchased in their name. the victim may have to contact the bank and other organisations to cancel transactions and there is no guarantee their money will be returned, credit checks may be affected, leading to future financial difficulty for the victim.

Question 23

impacts of threat to national security 6.3

Answer 23

data of a classified nature (military arrangements, security weak-points or upcoming government plans) if lost and fall into the wrong hands (probably by hacking) of those who intend to bring harm to the country then the country then the consequences can be disastrous. Spies of florigen countries or terrorists could use classified information to target vulnerable locations or events resulting in casualties. Threats could also be economic in nature if large amounts of money are stolen or redirected to malicious bodies.

Question 24

examples of security failures 6.3

Answer 24

• Virgin media
• Boots
• Marriott hotels
• Facebook messenger

Question 25

what are staff responsibilities in accordance with protection measures? 6.4

Answer 25

Staff of an organisation will spend most of the time amending the data so the company must have sufficient and effective protective measures so that staff know their role and responsibilities. Certain staff members may be responsible for different types of data e.g. personal and confidential. Clearly assigning specific roles ensures they know their job and the responsibilities if data is lost.

Which staff have what access is important. The more sensitive it is the less that should be revealed, and the higher the risk of it being tampered with.

Staff should be adequately trained in how to handle the data, including basic security techniques and how to protect data from unauthorised access and loss.

Question 26

examples of disasters that require a disaster recovery policy 6.4

Answer 26

natural disasters, hardware failure (power failure), software failure (virus damage) and malicious damage (hacking).

Question 27

what to do before the disaster 6.4

Answer 27

• All of the possible risks should be identified to spot any weaknesses
• Preventative measures should be taken after analysis, e.g. making rooms flood-proof or storing important information in a different location
• Staff training should take place to inform employees what should happen in the event of a disaster

Question 28

what to do during the disaster 6.4

Answer 28

• Staff response is important, they should follow their training and ensure the appropriate measures take place
• Contingency plans should be implemented such as uploading recent data to cloud storage or securing backups in a safe room and using alternative equipment until the disaster is over

Question 29

what to do after the disaster 6.4

Answer 29

• Recovery measures should be followed e.g. using backups to repopulate computer systems
• Replacement hardware needs to be purchased for equipment that is corrupted or destroyed
• Software needs to be reinstalled on the new hardware
• Disaster recovery policies should also be updated and improved

Question 30

what is an information security risk assessment? 6.3

Answer 30

Information security risk assessment should be conducted to ensure their physical and logical measures are up to data and that they provide the most effective methods of protection. There may be training drills of what should happen if a disaster or substantial data loss occurs so that the company is prepared. By testing the security measures in place, they can identify any weak points and fix those highlighted vulnerabilities to minimise the possibility of external and internal data intrusion.

Question 31

examples of specific cost impacts 6.4

Answer 31

These are necessary financial expenditures to ensure the security of data and systems, such as:
- Software = security software such as firewalls may be purchased to protect networked systems
- Hardware = buying secure storage devices and new computer systems
- Training = hiring industry experts to train staff on how to keep data secure
- Security = hiring staff to protect server rooms

Question 32

types of physical protection 6.5

Answer 32

locks, biometrics, security staff, Backus, shredding, RFID and tokens

Question 33

locks 6.5

Answer 33

can be used to prevent access to server rooms or sensitive data stores. Only authorised personnel with the rights key will have access.

Question 34

biometrics 6.5

Answer 34

require input of a human characteristic (fingerprint, iris, voice recognition)
The data is checked against previously inputted data in a database. A match will allow access to the user.

Question 35

staff security 6.5

Answer 35

staff may be employed to physically prevent unauthorised people from accessing certain areas of a building where sensitive information is stored. They may check ID key cards or use surveillance like CCTV to monitor who is entering and exiting a secure area.

Question 36

backups 6.5

Answer 36

should be taken regularly and stored at a secure location away from the main sight. Backups could also be stored on cloud servers so that any damage to the organisation’s building will not be affect by backups as well.

Question 37

shredding 6.5

Answer 37

cutting up documents so they cannot be reassembled or read. Sensitive data on paper or optical disk should be shredded when no longer required.

Question 38

RFID and tokens 6.5

Answer 38

radio frequency identification uses electromagnetic fields to attach tags to physical objects. They can be embedded within dumb objects such as clothing packages and even animals. Is used with security tokens like ID cards to permit the access of authorised people to certain areas. Can be used by IT companies to track equipment and manage access.

Question 39

what is logical protection? 6.6

Answer 39

using digital methods of security to protect computer systems and data.

Question 40

types of logical protection 6.6

Answer 40

usernames, passwords, anti-malware, firewall, encryption, tired levels of access, obfuscation

Question 41

usernames and passwords 6.6

Answer 41

usernames must be matched with a logical password to minimise the chances of unauthorised uses accessing a system.
Passwords should contain a mix of uppercase and lowercase letters, punctuation and numbers. Passwords should be of a substantial length (8 characters min) and should be regularly changed.

Question 42

anti-malware 6.6

Answer 42

scans a system and removes viruses. If left to infect a system a virus could delete data or permit access to unauthorised users.
Anti-spyware software removes spyware on an infected system so hackers cannot view personal data or monitor users.
Organisations should install and regularly update anti-virus and anti-spyware programs.

Question 43

firewall 6.6

Answer 43

prevent unauthorised access to or from a network.
Firewalls filter data packets and block anything that is identified as harmful to the computer system or network.
Firewalls can also be used to block access to specific websites and programs.
A firewall can be in the form of a physical device which is connected to the network, or software installed on a computer system.

Question 44

encryption 6.6

Answer 44

the conversion of data (plaintext) into an unreadable format (ciphertext) so it cannot be understood if intercepted.
Encrypted data can only be understood by an authorised system with a decryption key.
There are two types of encryption:
- Encryption at rest = when data is encrypted while it is being stored on a system or storage drive.
Encryption in transit = secure the data as it is being transferred between systems on a network.

Question 45

tired levels of access 6.6

Answer 45

= to grant different types of permission to certain users.
Managing levels of file access ensures that only authorised people can access and change certain files.
There are different levels of file access:
- No access
- Read-only = allows a user to view but not edit
- Read/write = allows a user to view and edit

Question 46

obfuscation 6.6

Answer 46

= when data is deliberate changed to be unreadable to humans but still understandable by computers.
Program code might be obfuscated to stop rival programmers from viewing and stealing it if they were to access it.
Specialist software can be used to obfuscate data and convert it back into a human-readable format.

Question 47

effects of accidental loss of data 6.2

Answer 47

If data is accidentally lost then hours of data entry and collection will have been for nothing and can delay dependant processes like analysis and trend recognition. Also, if it was personal data that was lost then the security principle or availability has been broken and the Data Protection Act 2018 has been breached.

Question 48

effects of unauthorised access to data 6.2

Answer 48

competitors would benefit from unauthorised access, and the Data Protection Act 2018 would be breeched.

Question 49

effects of intentional destruction of data 6.2

Answer 49

When data is intentionally deleted the organisation in question can replace data and any infected computer systems/devices or ignore the loss and not make the breach public - but has to recollect/reanalyse the data. Data deconstruction usually leads to a loss of reputation as customers won’t want to have their information stored in a system they see as unreliable and insufficiently protected. could lead to customer loss and a decrease in profits. If the loss is ignored and unreported then it could result in a huge loss of trust when it is eventually revealed

• like Yahoo who only confirmed a massive data breach that happened in 2013, two years later in 2016. this breach affected all 3,000,000,000 Yahoo accounts and is the largest data breach in the history of the internet.

Question 50

effects of intentionally Tampering with data 6.2

Answer 50

• loss of reputation as that organisation cannot be trusted to report data accurately.
• If altered then the security principle of integrity will have been broken as the data is no longer accurate.
• Data security methods and protection systems will also need to be reviewed if data has been tampered with, especially if it was an external individual that accessed and changed the data.
• Employees who tamper will be fired and may face legal action.