Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

WJEC ICT A2 (IT3) > Security Policy > Flashcards

Security Policy Flashcards

1
Q

Why is there a security policy?

A

To comply with the Data Protection Act that has been set out by the Government. This helps protect the company from any prosecution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security Policy Factors

A

Physical Security

  • –Locks
  • –Biometric
  • –Metal Detectors
  • –Bared Windows
  • –Security Guards

Logical Security

  • –Passwords
  • –Frequency of change
  • –Security of Passwords
  • –User Names
  • –Level of Access
  • –Firewall
  • –Encryption
  • –Anti-virus

Continuous Investigation of Irregularities

  • –Query any transaction that is out of ordinary
  • –Query and file that is unusually opened.

Personnel Administration

  • –Training, including prevention of accidental misuse.
  • –Fitting the employee to the task.
  • –Ensuring staff are controlled and can get into rooms.
  • –Screening staff (making sure they don’t have bad history).

Operational Procedures

  • –Disaster recovery plan.
  • –Dealing with threats.
  • –Backup
  • –Updating anti-virus

Disciplinary

  • –Verbal Warning
  • –Written Warning
  • –Dismissal
  • –Prosecution
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

User accounts and logs

A

Auditing - keeps a record of who had done what on the network (1)

Auditing keeps records of:

  • –Who (usernames) logged on (1)
  • –What details of files accessed/ details of changes made/ details of from which machine/ details of programs they used (1)
  • –When the times they logged on and off (1)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Security Policy Risks

A

Terrorism - Cyber attacks to slow down or prevent online services (DDOS)
—Consequence: Loss of reputation

Criminal sabotage - Attacks on firewalls by viruses to destroy data
—Consequence: Loss of business and income

Theft by Hacker/Employee - Hacking into data to steal companies private files or copying the files onto disc and selling it to rivals.
—Consequence: Cost of recovering data

Natural Disasters - Floods, Earthquakes etc.
—Consequence: Cost of recovering data

Accidental Altering of Data - Overwriting files or accidental deletion of files
—Consequence: Legal action

Theft of Data - Stealing storage media containing data
—Consequence: Loss of business and income Bankruptcy

Fire – Electrical fire in server room
—Consequence: Cost of new hardware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Misuses to ICT systems

A

—Introduction of viruses- by downloading games, not scanning portable media, not keeping virus scanners up-to-date etc.

—Misuse by employees of the ICT facilities, e.g. using telecommunications for own purposes (e.g. phone calls, email, videoconferencing, etc.) and using printers for personal use.

—Distribution of material that is racially or sexually offensive- for example, sending offensive jokes by e-mail or text messages, circulating offensive images over the organisations network etc.

—Misuse of data for illicit purposes- for example, using e-mails and text messaging to bully someone at work or school/college

—Using data to set up own business, etc.

—Blackmail, computer fraud or selling to other organisations.

—Violating terms of copyright or software agreements thus causing the company to face legal action from software supplies or other affected organisations.

—Taking data from the system and not protecting it. e.g. loosing a laptop.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Operational procedures for preventing misuse

A

—Screening potential employees- no criminal record, competence, qualifications, references
Routines for distributing updated virus information and virus scanning procedures- up-to-date virus checking software

—Define procedures for downloading from the internet, use of floppy discs, personal backup procedures

—Establish security rights for updating web pages- only authorised staff should be able to alter website content

—Establish a disaster recovery programme- the series of steps that would be taken if data loss occurred

—Set up auditing procedures (audit trials) to detect misuse- keeps details of what was changed, who changed it and when to detect fraudulent activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Disaster Recovery plan: factors

A
  • –Cost
  • –Risk
  • –Data
  • –Hardware/Software/Communications
  • –Personnel, Responsibilities and Training
  • –Procedures
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Disaster Recovery plan: Cost

A

Set up a budget for it
What backup medium should be used? Tape or disc?

Raid systems depending upon the speed or money available to recover the data

Hardware can be replaced how much money have they got

Software can be re-installed. (or de-bugged by the programming department)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Disaster Recovery plan: Risk

A

What problems could occur?

Likelihood of them occurring e.g. are they going to get an earthquake in the UK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Disaster Recovery plan: Data

A

No business can afford to lose its data.

Backups of all data should be regularly made. This means that the worst case scenario is that the business has to go back to the situation of the last backup and carry on from there. Backups may take a long time- often tape-streamed at night.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Disaster Recovery plan: Hardware/Software/Communications

A

The total or partial loss of computing equipment or software

The complete or partial loss of telecommunications equipment or services

The complete or partial loss of the premises housing the IT equipment.

The loss of essential services such as electricity, heating or air conditioning

Alternative communication/ computer systems may be arranged in case a network goes down or alternative power supply

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Disaster Recovery plan: Personnel, Responsibilities and Training

A

The loss of certain key employees (e.g. loosing all the qualified network staff in one go due to them choosing to form their own facilities organisation)
The loss of maintenance or support

Make one person responsible for backups so people don’t think other ae doing it and it does not get done or so they use online bank companies or both

Screening potential employees

Routines for distributing updated virus information and virus scanning procedures

Define procedures for downloading from the internet, use of floppy discs, personal backup procedures

Define staff code of conduct for using computer systems e.g. no abusive emails. No illicit use etc.

What response would staff make when the disaster occurs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Disaster Recovery plan: Procedures

A

Produce procedures for minimising the risks
Test the plan on a regular basis to make sure it is still sufficient

Establish physical protection system (firewalls etc.)

Establish security rights for file access and updating web pages

Establish a disaster recovery programme. This starts with a back up policy to secure the data so it can be recovered later e.g. backup procedures required.

How often should backups be taken?

Restoration policy backup every day/hour and rotate tapes to ensure there is always a copy to restore files

What type of backup? Where the backup is to be stored?

Decide upon types of backup full, incremental or differential depending upon how many items of data are changed

Set up auditing procedures (audit trails) to detect misuse
Premises location

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

WJEC ICT A2 (IT3) (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions