LO6
6.1 - Understand the principles of information security
Confidentiality
– information can only be accessed by individuals, groups or processes
authorised to do
Not only is
this a key aspect of the concept of information security, but it is also a
legal requirement under the Data Protection Act. It is the responsibility of
the organisation to ensure that data is safe and to take measures to protect
that data. These measures could be such as ensuring that data is kept in a lockable
or electronic, such as restricting access to a computer network that holds
data.
Integrity
– information is maintained, so that is up to date, accurate, complete and fit
for purpose
This is
another practical as well as legal consideration. Inaccurate data can lead to
conclusions based on false information or time being wasted on phone calls to
numbers that no longer exist or are no longer relevant. The requirement to
maintain data is also part of the Data Protection Act.
Organisations
should have a planned pattern of data maintenance This could simply be a
process of checking the data periodically, possibly by sending contacts a list
of the data that is currently held about them and asking them to confirm that
it is correct. Organisations should also have a culture of checking and
reporting when data is inaccurate. As an example, a tutor may try to phone a
parent to pass on information. If they were to find that the students home
telephone number is not correct on the school’s system, that tutor should be
able to pass the information on so that records may be updated.
The
challenge here is making sure that the data is available to those who need it
(and in a format that they can use) and making sure that it is kept safe from
unauthorised access.
One of the
challenges is that if data is not easily accessible, users may decide to make
their own copies. This is a security risk, as the more copies of data there
are, the harder the data is to protect. Therefore, organisations need to ensure
that their information systems and associated hardware and software work as
intended and that staff do not feel the need to make extra copies.
6.2 Risks
Unauthorised
or unintended access to data- Unauthorised
access to data is any time that data is seen or used by those who should not
see or use it. The reason for someone seeking to access the data could be
espionage, which is for the purpose of gaining an advantage over the original
data holder (such as stealing sensitive information), or as a result of having
poor information management. This would include accidental access, when a
member of the public finds a discarded print out, or is able to see data while
a member of staff is working in a public area.
There are
two possible impacts here. First, if the data is sensitive, a competitor may
gain an advantage from seeing it. The second impact would be caused by a
possible infringement of the Data Protection Act if the lost data included
personal data.
Accidental loss of data
Intentional destruction of data
Intentional tampering with data
6.3 Impacts
Loss
intellectual property
Loss of service and access
Failure in security of confidential information
Loss of information belonging to a third party
Loss of reputation
Threat to national security
6.4 Protection measures
Policies
6.5 Physical protection
Locks,
keypads and bio-metrics
Placing computers above known flood levels
Backup system in other locations
Security staff
Shredding
old paper based records
6.6 Logical protection
Tiered
levels of access to data
Firewalls
Anti-Malware applications
Obfuscation
Encryption of data at rest
Encryption of data in transit
Password protection
Hi Tom, love Reece xxxx
ReplyDelete