LO6. Understand The Principles Of Information Security Flashcards
6.1 Security Principles
List the 3 principles of information security.
- Confidentiality
- Integrity
- Availability
6.1 Security Principles
What is confidentiality ?
Where information should only accessed by individuals or groups with the authorisation to do so.
How to uphold this:
* An organisation should use protection methods like usernames and passwords to ensure that only the authorised can access the data.
* Tiered levels of access or permissions can limit access to the data.
6.1 Security Principles
What is integrity ?
Where information is maintained so that it is up-to-date, correct and fit for purpose.
How to uphold this:
* Organisations should carry out regular data maintenance to update information (e.g. confirm contact details once a year).
* If storing data in spreadsheets, recod-locking should be used so that only one person can edit at a time, preventing to data from becoming incorrect.
6.1 Security Principles
What is availability ?
Where information is available to the authorised individuals or groups that need to use it.
How to uphold this:
* Staff should have correct acess levels so they can easily access data when required.
* Data could be stored online so it is available remotely using an i8nternet connection.
* Data must be kept safe from unauthorised access and staff shouln’t make additional copies of information which could be lost or stolen.
6.2 Risks
List the risks of poor information security .
Unauthorised access to data (e.g. espoinage, poor information security policy)
Accidental loss of data (e.g. human error, equipment failure)
Intentional destruction of data (computer virus, targeted malicious attack)
Intentional tampering with data (fraudulant activity, hacking)
6.2 Risks
2 reasons why people gain unauthorised access to data ?
[This is a part of security measure of confidentiality. - Data should only be accessed individuals…………. ].
- Espionage is the act of collecting data so that it can be used against an organisation (e.g. competitor acquiring information about their rival’s product before it is launched publicly).
- If a company has poor information management in place and data is insecurely stored of too many too many people have access to sensitive information then it is more likely to be viewed by unauthorised persons.
Not only would competitors benefit from unauthorised access but the Data Protection Act (2018) would be broken if personal data was accessed.
6.2 Risks
Reasons for accidental data loss ?
Where the original version of a file is irretrievably lost, so cannot be accessed in any format.
* Equipment/technical failure that leads to data corruption, such as a database crash or hard drive failure.
* Human error as an employee might accidentally delete a file or discard an important paper document without realising.
If data is accidentally lost, hours of data entry and collection will be all for nothing and might delay dependant processes such as analysis and trend recognition.
If personal data was lost, the security principle of availability would be broken and the DPA(2018) would be breached.
6.2 Risks
Describe and give examples of intentional destruction of data.
This the act of purposely damaging an organisation by deleting or denying access to data.
Examples,
- Viruses that corrupt data so that it can no longer be used and targeted malicious attacks such as DDOS attacks or ransomware.
- Ransomware encrypts files so that they can only be accessed again when certain criteria have been met, usually the affected group having to pay an extortionate fee.
6.2 Risks
How can an organisation respond to intentional destruction of data ?
When data is intentionally deleted, the organisation can respond by:
* replacing the data and any infected computer systems/devices. Or…..
* ignoring the loss and not making the breach public - but having to re-collect/re-analyse the data.
6.2 Risks
What are the impacts of intentional destruction of data on an organisation ?
- Data destruction will usually lead to a loss of reputation as customers won’t want to have their information stored in a system they see as unreliable and insufficiently protected. This loss of reputation could lead to customer loss and a decrease in profits.
- If the loss is ignored and unreported, it could result in a huge loss of trust when it is eventually revealed.
- [For example, Yahoo who only confirmed a massive data breach that happened in 2013, two years later in 2016. This breach affected all 3,000,000,000 Yahoo accounts and is the largest data breach in the history of the internet.
6.2 Risks
What is and examples of intentional tampering with data ?
This is when data is changed and no longer accurate. This occurs through fraudulent activity such as hacking to change information displayed on a webpage.
Examples,
* If a student/ teacher changed exam answers for a better grade.
- If a company tampered with financial data to display larger profits and smaller losses than the real figures, to boost investments or please stakeholders.
6.2 Risks
What are the impacts of intentional tampering with data ?
- Can result in a loss of reputation as the organisation wouln’t be trusted to report data accurately.
- If personal data has bee altered, the security principle of intergrity will be broken as data is no longer accurate.
- Data security methods and protection systems will also need to be reviewed especially if it as an external individual.
- If internal, employees that tamper with data will be fired and nay face legal action.
6.3 Impacts
List the impacts of poor information security .
- Loss of intellectual property (design, artwork, report)
- Loss of service and access
- Breach of confidential information
- Loss of Third party data
- Loss of reputation
- Identity theft
- Threat to National Security (NS)
6.3 Impacts
Explain intelectual property.
‘Intellectual property’ refers to anything an organisation or individual has designed, developed or created themselves.
For an individual, this could be a manuscript, artwork or a piece of music.
For an organisation, it could be primaty data they have collected, blueprints for an upcoming design or a report following data analysis.
6.3 Impacts
Imapct of having loss of intellectual property
The impact depends on the property lost itself and how easy it would be for the victim to recreate/recollect the data.
In 2017, HBO suffered large property leaks when Game of Thrones were stolen before the air date resulting in pirated versions appearing online well befroe they were due to air on TV.
6.3 Impacts
Elaborate on loss of service and access
If usernames and passwords are stolen, individuals may be unable to access services they have paid for.
For example,
If WiFi details were stolen, the hacker can access the internet using someone else’s account. If the hacker is permitted access to a system, they can change the account settings such as the password to lock out the original owners of that account, leaving them without access.
6.3 Impacts
Elaborate on loss of service and access pt2
Other services can be targeted with malicious attacks like a DDOS attack so users can’t log into a webpage/online service. If users can’t access their account they may use alternative methods and providers, such as avoiding the cloud storage provider that let them down and choosing another.
#
What is confidential information?
Confidential information is of a highly sensitive nature and could lead to negative impacts if it got into the hands of unauthorized people.
Give an example of confidential information.
Medical histories
What measures should be in place for storing confidential information?
Multiple physical and logical protections
What are potential consequences of breaching confidential information?
Loss of reputation, legal consequences, penalties
What could happen to an organization if it breaches confidential information?
Fines, court cases, imprisonment
Which act is broken if confidential information is not protected?
Data Protection Act (2018)
What penalties might an organization face for failing to protect personal details?
Penalties from the Information Commissioner’s Office (ICO)
True or False: Breaching confidential information has no impact on an organization’s reputation.
False
Fill in the blank: If confidential information is breached, it could lead to a loss of _______.
reputation
What can immediately destroy an organization’s reputation?
Data loss - Organizations invest years in building a reputation based on customer trust will be lost after this occurs.
What can failing to keep data safe lead to?
Loss of trade, reduced earnings, and sales - Organizations have a legal and moral duty to keep information secure.
What is identity theft?
When an attacker uses a victim’s personal data for fraud or impersonation - This can occur if an individual’s personal information is stolen.
What financial impact can identity theft have on a victim?
Financial loss due to unauthorized loans, products, or services purchased in their name - Victims may face challenges in recovering their money.
What may victims of identity theft need to do regarding their transactions?
Contact their bank and other organizations to cancel transactions - There is no guarantee that their money will be returned.
How can identity theft affect a victim’s future financial situation?
It may affect credit checks, leading to financial difficulties - Affected credit can impact future loans and financial opportunities.
