Security Policies Flashcards
Name four different types of potential threats to data including an example and consequence for each
Terrorism - cyber attacks to slow down or prevent online services - legal action
Natural disasters - floods earthquakes - costs of recovering data
Fire - electrical fire in building - loss of business and income
Theft by hacker - hacking into data to steal private company details - loss of reputation
What are the consequences of the destruction of data?
Loss of business and income
Loss of reputation
Legal action
Cost of recovering data
Why is their a need for security policies?
Legislation obliges orations to keep data secure eg. The data protection act
The fact that data can be vulnerable to misuse eg. It can be deleted, copied, corrupted either accidentally or deliberately, by either internal or external individuals
Describe four different factors that should be taken into account and when designing a security policy
Physical security - this involves protecting hardware and software using physical rather than software methods either to restrict access to the computer equipment or the storage medium eg. Using locks, biometrics methods
Prevention of misuse using logical (software) methods - user IDs, passwords, levels of access eg. Who can update web pages
System access - establishing procedures for accessing data such as log in procedures, firewalls
Disciplinary procedures - warnings and dismissals
Name 3 factors that should be taken into account when producing a risk analysis
BIdentify potential risks - eg. Viruses / fire / natural damage / hacking etc
Likelihood of risk occurring - some things such as power cut are inevitable but explosions much less likely. Senior managers have to assess the likelihood of each risk occurring and put in the necessary security
Short and long term consequences of threat - loss of business/income by not being able to take orders & cost of replacing equipment etc.
Describe the use of usernames and logs as a way of keeping records secure
Auditing keeps a record of:
WHO logged on (usernames etc)
WHAT details of files accessed, from which machine it was accessed from and what programs they used
WHEN the times they logged on and off
Identify a problem that could arise if steps are not taken to minimise the risk, discuss its possible impact and describe in detail a suitable strategy to overcome it
Problem - staff unaware of who actually is in the building this could be very dangerous in the event of a fire
Strategy - have a backup system on paper or off site which staff could have emergency access to, to look up information
Name four OPERATIONAL PROCEDURES which could prevent the misuse of data
Screening potential employees - ensure staff are controlled and fitted to the task
Routines for distributing updated virus information and virus scanning procedures - eg establish firewalls
Define procedures for downloading from the Internet, use of removable media and personal backup procedures - staff codes of conduct and penalties for misuse
Establish a disaster recovery plan - who’d does what &mwhen, including checking the standby equipment
Explain four factors which should be included in a disaster recovery plan
Cost - set a budget for it, hardware can be replaced by the amount of money in the budget and software can be re-installed
Risk - what problems could occur, likelihood of them occurring eg. Are they going to get an earthquake in UK
Data - no business can afford to lose its data, backups should be regularly made, this means that the worst case scenario is that the business has to go back to the situation of the last backup & carry on from there
Personnel, responsibilities and training - Screening potential employees and establish routines for distributing updated virus information and virus scanning procedures
Name four METHODS which can be used to prevent the DELIBERATE destruction or misuse of data
Methods for controlling access to computer rooms eg. Locks
Methods to define security status and access rights for users
Use virus scanners to scan for malicious viruses
Security of document filing systems
