SECURITY POLICIES Flashcards
Prevention of deliberate misuse?
- Methods of controlling access to computer rooms
- Establish firewalls - external hacking, unauthorised access
- Install proxy servers e.g. Controls what user can do on a network- block or allow access to certain web pages
- Methods of securing integrity of transmitted data e.g. Encryption methods including private and public keys
- Methods of physical protection of hardware and software
- Security of document filing systems e.g. Shrewd unwanted documents, don’t leave documents out for unauthorised to see
Prevention of accidental misuse?
- Backup + recovery procedures ( Incase of fire/ flood)
- RAID system - redundant array of inexpensive disc
- Grandfather, father, son systems
- Backups of storage media
What operational procedures could the company implement to prevent misuse?
- Screening potential employees
- Establish disaster recovery programme - everybody knows exactly what to do
- Define procedures for downloading - use of floppy discs, personal back up procedures
- Routines for distributing updated virus information + virus scanning procedures
- Set up auditing procedures -detection misuse
What are the factors the company should take into account when designing a security policy?
- The physical security - security guards, alarms, security cameras, biometric systems, key, codes
- Audit trails for detection - keeps records of all activities carried out by each user e.g no of doc printed, times and dates of logging on + off we pages visited + downloaded
- System access - establishing procedures for accessing data e.g. Log on procedures, firewalls
- Personnel administration e.g. Ensuring all staff respect security issues and aware of disciplinary procedure - train staff
- Operational procedures e.g. Disaster planning + dealing with threats from viruses
What are the factors that a company will consider when deciding how much to invest in security in order to reduce risk?
- Identify potential risks e.g. Viruses, theft, fire, sabotage
- Likelihood of risk occurring e.g. On scale of 1-5, 1 being highest 5 the lowest, chance of viruses is highly likely and chances of terrorism highly unlikely
- Identify short + long term consequences of the threat e.g (short term) *loss of income * bad reputation * legal action taken * staff have to resolve situation (long term) * extra costs * possibility of bankruptcy * difficult to gain customers again
- How well equipt is the company to deal with threat e.g. Create disaster recovery plan
Describe the use of user accounts and logs as a way of ensuring the confidentiality of customer records
- auditing keeps record of who has done what on the network
- allocation of passwords - managing user accounts by allocation of access levels to users
Explain factors the company should take into account when designing its security policy?
Physical security - involves protecting hardware and software using physical rather than software methods either to restrict access to the computer equipment or the storage medium (locks, guards, biometric methods)
Prevention of misuse using logical (software) methods - user ids, passwords, levels of access
Operational procedures including disaster recovery planning and dealing with threats from viruses, back up, updating antivirus
Staff code of conduct e.g downloading from the Internet
Describe in detail factors an organisation needs to consider when producing a risk analysis?
Identify potential risks e.g viruses, fire, natural damage, hacking, systems failure, fraud
Likelihood of risk occurring - some things such as power cut are inevitable but explosions much less likely, managers have to assess e likelihood of each risk occurring and put in the necessary security
Short term and long term consequences of threat - resources (staff equipment etc) need to be directed towards recovering the data, may have to pay compensation, financial loss due to loss of business through not being able to take orders
How well equipped is the company to deal with threat (what procedures are in place) - has to be reviewed periodically because of changing needs - disaster recovery programme - back up strategy
Explain with reasons what should be included in a disaster recovery plan
- Cost - set up a budget for it, what backup medium should be used?, tape or disc / raid systems depending upon the speed or money available to recover the data, hardware can be replaces how much money have they got, software can be re-installed (or debugged by the programming department
- Risk - what problems could occur? Likelihood of them occurring e.g. Are they going to get an earthquake in uk, on site or off site depending upon costs and the likelihood of the risk occurring and the criticality of the data
- Data - no business can afford to loose its data, backups of all data should be regularly made, is means that the worst case scenario is that the business has to go back to the situation of the last back up and carry on from there. Back ups may take a long time - often tape streamed at night
- Hardware/software/communications - the total or partial loss of computing equipment or software, the complete or partial loss of telecommunications equipment or services. The complete or partial loss of the premises housing the it equipment
Explain why the practise should have a security policy and give two examples of what this should contain, other than user accounts and logs
DPA puts an onus on the practise to keep this information secure because of its potential for misuse.
Rules on passwords
Access rights
Firewalls
Describe ways in which an employee can misuse the organisations ict facilities and give two possible penalties for misuse
- introduction of viruses by downloading games, not scanning portable media
- misuse by employees of the ict facilities e.g. Using telecommunications for own purposes e.g phone calls, emails
- blackmail, computer fraud or selling to other organisations
- distribution of material that is racially or sexually offensive e.g circulating offensive images over the organisations network
- informal (verbal) warnings
- written warnings
- dismissal
Describe in detail factors the college should take into account when deciding how to develop, control and minimise risk to data?
Identify potential threats
Likelihood of risk occurring
Short and long term consequences of the threat
How well equipped is the college to deal with threat
How much money the college has
Identify a problem that could arise if steps are not taken to minimise risk, discuss its possible impact and describe in detail a suitable strategy to overcome it
Example problem; staff unaware of who actually is I’m college this could be very dangerous if there is a fire or looking for an at risk pupil
Steps ; have a back up system which staff could have emergency access to lookup information
Other points : disaster recovery system, e,ploy a RAID system
Discuss in detail the potential threats to data and the possible consequences of accidental or deliberate destruction of data. Illustrate your answer with distinctly different examples in each case
Threats; Terrorism Natural disasters Sabotage Fire Theft
Consequences
Loss of business and income
Loss of reputation
Legal action
Methods which could be used to prevent the deliberate destruction or misuse of data
Methods for controlling access to computer rooms
Methods if securing integrity of transmitted data e.g encryption
Methods including private and public keys
Call back procedures for remote access
Establish firewalls
Use virus scanners
Proxy servers
Password systems
