LO6

6.1 - Understand the principles of information security

Confidentiality – information can only be accessed by individuals, groups or processes authorised to do

Not only is this a key aspect of the concept of information security, but it is also a legal requirement under the Data Protection Act. It is the responsibility of the organisation to ensure that data is safe and to take measures to protect that data. These measures could be such as ensuring that data is kept in a lockable or electronic, such as restricting access to a computer network that holds data.

Integrity – information is maintained, so that is up to date, accurate, complete and fit for purpose

This is another practical as well as legal consideration. Inaccurate data can lead to conclusions based on false information or time being wasted on phone calls to numbers that no longer exist or are no longer relevant. The requirement to maintain data is also part of the Data Protection Act.

Organisations should have a planned pattern of data maintenance This could simply be a process of checking the data periodically, possibly by sending contacts a list of the data that is currently held about them and asking them to confirm that it is correct. Organisations should also have a culture of checking and reporting when data is inaccurate. As an example, a tutor may try to phone a parent to pass on information. If they were to find that the students home telephone number is not correct on the school’s system, that tutor should be able to pass the information on so that records may be updated.

Availability – information is always available to and be the individuals, groups or processes that need to use it

The challenge here is making sure that the data is available to those who need it (and in a format that they can use) and making sure that it is kept safe from unauthorised access.

One of the challenges is that if data is not easily accessible, users may decide to make their own copies. This is a security risk, as the more copies of data there are, the harder the data is to protect. Therefore, organisations need to ensure that their information systems and associated hardware and software work as intended and that staff do not feel the need to make extra copies.

6.2 Risks

Unauthorised or unintended access to data- Unauthorised access to data is any time that data is seen or used by those who should not see or use it. The reason for someone seeking to access the data could be espionage, which is for the purpose of gaining an advantage over the original data holder (such as stealing sensitive information), or as a result of having poor information management. This would include accidental access, when a member of the public finds a discarded print out, or is able to see data while a member of staff is working in a public area.

There are two possible impacts here. First, if the data is sensitive, a competitor may gain an advantage from seeing it. The second impact would be caused by a possible infringement of the Data Protection Act if the lost data included personal data.

Accidental loss of data

Intentional destruction of data

Intentional tampering with data

6.3 Impacts

Loss intellectual property

Loss of service and access

Failure in security of confidential information

Loss of information belonging to a third party

Loss of reputation

Threat to national security

6.4 Protection measures

Policies

6.5 Physical protection

Locks, keypads and bio-metrics

Placing computers above known flood levels

Backup system in other locations

Security staff

Shredding old paper based records

6.6 Logical protection

Tiered levels of access to data

Firewalls

Anti-Malware applications

Obfuscation

Encryption of data at rest

Encryption of data in transit

Password protection