Topic 5 Security policies Flashcards
Factors to take into account when designing security policies
Physical security e.g. locks
Logical security e.g. encryption
Disciplinary procedures
Personnel administration e.g. right employee for the right task
Operational procedures e.g disaster recovery planning
Auditing - WHO/WHAT/WHEN
Operational factors to prevent misuse
Screening potential employees e.g. DBS check
Define procedures for downloading from the internet e.g. Code of conduct
Establish a disaster recovery plan e.g. Backup plans
Set up auditing procedures (audit trials) to detect misuse e.g. WHO/WHAT/WHERE
Staff training
User accounts and logs
Auditing - keeps a record of who had done what on the network
Auditing keeps records of:
WHO (usernames) logged on
WHAT - Details of files accessed/ details of changes made/ details of from which machine/ details of programs they used
WHEN - At what time did they logged on and off
Methods of preventing deliberate misuse
Controlling access to computer rooms
Proxy servers- gateway server
Password hierarchy to limit access
Factors that should be included in a disaster recovery plan
Cost
Risk analysis
Short and long term consequences
Backup strategy
Methods of preventing accidental misuse
Backup and recovery procedures
Grandfather, Father, Son systems
Keeping backup copies off-site
Why should a business have security policies?
A legal requirement of the Data Protection Act becuase of its potential for misuse
Factors that decide how much to spend on protecting data (Risk analysis)
Identify potential risks Likelihood of risk occurring Short and long term concequnces of treat How well equipped is the company to deal with the threat (The diaster recovery plan)
Treats to data
Theft by employees
Natural disaster e.g. flood
Fire e.g. in the building
Power loss
Consequnes of losing data
Loss of business and income
Loss of reputation
Legal action
(cost of recovering data)
