Other than being legal, why is information security important?
Organisations collect, create and manipulate a wide range of data and information; the cost of these activities is often much higher than the organisation realises until they are lost or stolen.
Everyone who works with an information system should understand their responsibility to protect the system against theft or loss and all IT professionals need to understand how to support the organisation in protecting its digital assets and hardware.
This section of the unit will enable the learner to recognise the importance of protecting systems against any security issues or failures when working with the hardware and software and providing guidance to customers on the security of their systems. Additionally, it will also ensure that learners keep the importance of security at the forefront of their activities in order to identify threats and protect the organisation and its assets as they work with the information system while working towards the qualification as well as in the work place.
Task 01 – Just how secure is your school network. List three issues that you have known over the last 6 years and describe the problem, the risk and the solution to each.
Confidentiality - In today’s increasingly litigious and highly competitive workplace, confidentiality is important for a host of reasons, the most important being failure to properly secure and protect confidential business information can lead to the loss of business/clients.
In the wrong hands, confidential information can be misused to commit illegal activity (e.g., fraud or discrimination), which can in turn result in costly lawsuits for the employer. Many countries have laws protecting the confidentiality of certain information in the workplace. The disclosure of sensitive employee and management information can lead to a loss of employee trust, confidence and loyalty. This will almost always result in a loss of productivity.
Integrity - There’s no getting away from the fact that data comes from everywhere these days. Just as a few examples, we have mobile devices, loyalty cards, customer relationship management (CRM) systems, social media sites, GPS location data and complex market research tools. The source pool is still growing too; the ongoing development of concepts like the Internet of Things (IoT) mean that machines are also becoming an integral part of the data deluge. Alongside the more traditional computerised devices, businesses will soon be mining information from seemingly inanimate objects (think fridges, tables and cars).
With all of this in mind, data governance must be a priority. Not only will this information be arriving from all directions, it will exist in various formats: everything from numbers and formulas to individual words and pieces of text. Traditionally, just as many tools would be used to deal with it as well. Some staff would be relying on their own spreadsheets and word documents while other, more data-competent team members put their faith in advanced data visualisation tools.
Availability - Availability of information refers to ensuring that authorised parties are able to access the information when needed.
Information only has value if the right people can access it at the right times. Denying access to information has become a very common attack nowadays. Almost every week you can find news about high profile websites being taken down by DDoS attacks. The primary aim of DDoS attacks is to deny users of the website access to the resources of the website. Such downtime can be very costly. Other factors that could lead to lack of availability to important information may include accidents such as power outages or natural disasters such as floods.
How does one ensure data availability? Backup is key. Regularly doing off-site backups can limit the damage caused by damage to hard drives or natural disasters. For information services that is highly critical, redundancy might be appropriate. Having a off-site location ready to restore services in case anything happens to your primary data centers will heavily reduce the downtime in case of anything happens.
Task 02 – Describe the importance of Confidentiality, Integrity and Availability in the day to day running and management of the school with examples.
Risks to information
We have discussed some of the risks in LO1 to information but do you realise just how much at risk modern technology actually is? Watch the video below, from the TED talk.
Task 3 - Research news stories and news videos on each of the following types of risk:
- Unauthorised or unintended access to data (e.g. espionage, poor information security policy)
- Accidental loss of data (e.g. human error, equipment failure)
- Intentional destruction of data (e.g. computer virus, targeted malicious attack)
- Intentional tampering with data (e.g. fraudulent activity, hacking)
Produce a report describing:
- Type of risk (from the numbered list above)
- Name of holder of information
- Classification of information affected (e.g. sensitive, personal, public)
- Date of news report
- Description of what went wrong
- Was anyone charged or prosecuted?
Information on these can be gained from below:
- Teach-ICT.com – news articles sorted by topic: http://www.teach-ict.com/news/newstopics.htm
- Teach-ICT.com – news videos sorted by topic: http://www.teach-ict.com/news/newsvideos.htm
All the different examples of data misuse or breach, accidental or otherwise have an impact. Some of it is just embarrassing but for some, the breaches had a major financial or legal impact on the country.
For instance, the Panama Papers expose was an embarrassment, it drove newspaper front pages in Britain for a week and the government changed its policy, but in Iceland the government was fired, the and the bankers involved arrested.
Similarly the Ashley Madison leak led to multiple divorces, suicides and lawsuits but had little government impact. Sony’s double hack cost the company hundreds of millions and a severe loss of reputation but business was business and this could be repaired with incentives etc. The impact longer term however is something that cannot be easily hidden, Sony customers will find it hard to trust the company again, Ashely Madison had a massive drop in clientele (not to mention married couples doubting the fidelity of their spouse) and the Panama Papers has political and legal ramifications. We will look at the following as examples of impact:
- loss of intellectual property
- loss of service and access
- failure in security of confidential information
- loss of information belonging to a third party
- loss of reputation
- threat to national security.
Loss of service and access – for a period of time, and to sop other attacks companies tend to take their services offline. Networks shut down after virus attacks to make sure their network is now more secure and virus free, this downtime costs a lot of money through loss of business, again not something that can be claimed off insurance. Think of how long Sony was offline, similarly RBS Bank in Northern Ireland came offline for almost a week, a week when all customer accounts, including business accounts froze, stopping thousands of companies from selling and cashing in sales of goods.
Failure of security of confidential information (e.g. national security, payroll information, business strategies)- National security issues like Wikileaks are bad. A whole country’s reputation relies on this, lives, liberties and freedom of movement is restricted. This is the worst case scenario. Loss of payroll can cost a company huge amounts but losing corporate business strategies (corporate espionage) can cost a company more. Think of how much Samsung might gain to know what Apple will do next, or how Sony might have used use leaked information about the Xbox in terms of what to develop and what to make different or better. Click here.
Loss of information belonging to a third party – hacking for the benefit of another company or rival is called industrial espionage and it is a common business practice, illegal but common. Any private information that is leaked to a rival can impact on your business, planning a merger but the rival gets there first, planning a new product but the rival releases one sooner, moving to a new market or country but the rival is already there. The leakage of data is what makes it illegal and very hard to prove. But this can mean a major loss of income and this can damage or even kill a company. Click here and here.
Loss of reputation – Sony found it very hard to recover from the hack, Banks like Allied Irish found it hard to justify to shareholders and stakeholders, and government ministers apologise all the time for losing data. Reputation for some business. Look at Ratners and the scandal after their slip up, compare this to Wikileaks and the damage done to companies is everything. Loss of faith and loss of image can seriously damage a company's reputation through hacking and information leakages. Click here.
Threat to national security – This is the worst level, the scariest level and all countries are prone to this and their reaction is of equal measure. The case of Wikileaks and the Cables is the most talked about case in modern times but there have been more that have gone barely reported.
Click here for the Top 10 leaks.
Task 03 – Choose a high profile case from Wikileaks and discuss the Problem, the Issues related to it and why a country might see this as a national security threat. Discuss the moral and ethical implication s of the leak.
Similar but more malicious breached have been made towards companies directly such as:
Task 04 – Using the headings loss of intellectual property, loss of service and access, failure in security of confidential information, loss of information belonging to a third party and loss of reputation, discuss the breaches, the impact on the company and the impact on their customer base.
Protection Measures - Physical
This learning outcome is best taught holistically as this would be more appropriate to the sector and will encourage learners to widen their scope and considerations.
Learners should use what they have learned in Learning Outcome 1 to consider in more detail the options for protecting systems. An opportunity for group work arises here as the learners could be asked to find specific examples for a range of physical and software security which would help to protect the computer system from the various risks that they have already identified.
The learner should use their general findings and again apply them to an organisation with which they are familiar or have been given within a scenario by their tutor. The precise number of protection methods cannot be given as it will depend upon the precise nature of the organisation which has been identified but for supplied scenarios learners should be encouraged to consider a wide range and if they have chosen an organisation they have worked with and opportunities for implementing security measures is limited, they could identify what has been implemented already, potential improvements to it and the reasons for the implementation.
Even companies with the most modern network security standards can remain vulnerable to some physical -- and decidedly low-tech -- threats that networking professionals must consider when developing corporate security standards.
There are many forms of physical protection companies take in order to protect their equipment, depending on the level of threat and the potential cost of damage. Think about the security you see in the room around you now, and measure this against a company like IBM. The risk of loss through hacking or virus is greater for IBM and less on the potential burglary, whereas a school is the other way around.
The most common of these is locks (e.g. doors, computer screens, filing cabinets) Deterrents are, they need to be forced. 50% of the job, if a burglar or thief finds the door locked, they will usually walk away. Doors can be alarmed, they take time to get through, they can be seen to be open, similarly for windows and filing cabinets. This deterrent will push burglars away. Click here for details. Similarly screens are enough to deter internal crimes, what a thief cannot see, they are unlikely to take, specifically opportunist thefts like handbags, wallets, phones and laptops.
Task 05 – Describe to a new member of staff within a report, identifying the Physical Benefits of room and office security to organisation’s resources and data.
Placing computers above known flood levels would seem like an obvious security measure to take in the protection of hardware within a company, specifically in areas prone to flooding but measure this against the naivety of people when flooding happens. Click here. As soon as the recent floods happened, televisions, cookers, fridges, washing machines, people are surprised when the damage occurs. Looking at the school now, IT rooms are predominantly on the ground floor, even network rooms, the potential damage to the computer system when flooding happens is as much about data and electricity loss or surges as it is about repairable damage.
Similarly burglaries tend to be on the ground floor of building, thieves look in the windows and decide which rooms to burgle. It would seem obvious not to place important machinery on the ground floor but this is often weighed up against cost, access and efficiency. Placing hardware on a higher floor also means more doors to go through, more security, more chance of getting caught.
Task 06 – Describe to a new member of staff within a report, identifying the Physical Benefits of placing hardware above flood levels to organisation’s resources and data.
Back up systems in other locations – by law and by good practice schools backup all the files that get changed in a school day onto a tape drive after school closes. At the end of the week they back up the files onto a larger drive somewhere else so there is a safe copy. They also backup all the files a third time and take this backup off site. Usually this is stored in a fireproof safe somewhere remote. This might seem over the top but it costs less than £500 for the setup and £50 a month for the secure backups.
Why do this – It is right, morally and legally. For other companies they will do something similar, depending on the nature and importance of the data. Banks keep their information in several locations, each them protected by degrees of encryption, biometric and software based. The obvious benefits of remote backups is easy to understand, these are old data but if a company goes down, burns, crashes, gets hit by an earthquake etc. the downtime is massively reduced. New backup systems like Cloud are taking more precedence, after the Kyoto earthquake most companies who stored their data in the city were back online in days.
Task 07 – Describe to a new member of staff within a report, identifying the Physical Benefits of remote backup storage to organisation’s resources and data.
Keypads and biometrics – these are the highest levels of physical protection that a company can install ranging from the cheap, fingerprinting and keypads, to the expensive, biometrics, retina scanning, facial recognition and voice recognition.
We have all seen the films where they use an eye or a fingerprint to get past security, but these measures are not as they look, retina scanning only works with a living eye, the pupil dilates when scanned but does not when the muscle tissue is removed. Similarly with finger print recognition, all fingers are different and dead tissue breaks down the print recognition. But biometrics do work well in most cases.
Similarly keypads, they are designed to keep people out, they also track who went in, times entered, keeping a log of activity in some cases. Linking this to camera tracking can be the cure of most technical hacking internally. Similarly finger print logins on laptops or base machines will allow a user log to be generated of activity. All these measures are designed to be successful to a degree, each can be counter measured but the opportunist thief and hacker will always look elsewhere for the easier method is such security is installed.
Task 08 – Describe to a new member of staff within a report, identifying the Physical Benefits of biometrics and Keypads to organisation’s resources and data.
Security staff - the percentage of deterrents from other physical security is measurable but nothing beats Security Staff and Security presence. Even fake burglar alarms stop thieves from trying, the show of force, the presence of a guard is enough to stop the most determined. Suddenly the risk of getting caught is so much higher and the chance to deny proof is seriously reduced.
Security staff are both internal and external, operate cameras, watch the video screens, sometimes have dogs and do patrols. Internally they check every room before locking so this reduces the risk of someone hiding at the end of the day. They set the alarms and monitor door activity, check ID’s of people within the building and often stand guard around any particular area that is more at risk.
The big difference other than security is price, guards cost money, standard salary is £17,000, the cost of all the other security measures put together, companies have to weigh this against the value and impact of the damage and the amount security guards prevent loss. Other measures that are taken into consideration include increase in electricity, additional equipment costs, training, hiring, monitoring duty rotas etc. but for most companies like schools this is a necessity rather than a luxury.
Task 09 – Describe to a new member of staff within a report, identifying the Physical Benefits of Security Staff to organisation’s resources and data.
Protection Measures – Logical (Technical)
Physical protection works to a good degree but more often the attack comes form internal of external without the company even having to be in the same area. Internal attacks are more dangerous because these are deliberate and from staff who know the system, where files are stored, what way they are hidden and often know the security protocols in place to prevent attacks. External attacks means hacking and this is another level of issue that can be prevented with the right kind of software and protections.
Access levels – Standard windows is set up on two levels, user and admin, on a network this can be added to for the individual access levels of staff, areas can be set as a level, rooms, groups of machines etc. these are called profiles and can be set by the administrator or any other administrator with the levels of rights.
Similarly Access Rights can be set on folders and files as easily, allowing users to read the folders but not write back or delete, to open but not save. This feature is set as part of the OS and by the Admin users and is the standard, free, secure way of protecting files and folders and staying compliant with the DPA. The level of security this sets is medium, password still can be lost or guessed allowing other users the same rights if they decide to abuse the system.
Authorisation permissions - User rights control what a user can do on a network-wide basis. Permissions enable you to fine-tune your network security by controlling access to specific network resources, such as files or printers, for individual users or groups. For example, you can set up permissions to allow users into the accounting department to access files in the server’s \ACCTG directory. Permissions can also enable some users to read certain files but not modify or delete them.
Setting permission rights will restrict non-essential staff from looking at orusing information.
Access Control lists - Access control rights limit the user from damaging, modifying or accessing a file beyond their access levels. It restricts the file rights to whatever the network manager sets and can be done in whole groups like Students or a Class like Languages. Setting these rights protects files.
Task 10 – Describe to a new member of staff within a report, identifying the Software Benefits of setting Access Levels on files and Accounts to organisation’s resources and data.
Protection Measures – Logical (Technical) - Firewalls
Software firewalls - A firewall is a security-conscious router that sits between the Internet and your network with a single purpose: preventing external attacks. The firewall acts as a security guard between the Internet and your Network. All network traffic into and out of the system must pass through the firewall, which prevents unauthorised access to the network. Some type of firewall is a must-have if your network has a connection to the Internet, whether that connection is broadband, T1, or some other high-speed connection. Without it, sooner or later a hacker will discover and breach your unprotected network.
You can set up a firewall using two basic ways. The easiest way is to purchase a firewall program, which is basically a self-contained router with built-in firewall features like one Alarm or Sophos. Most firewall appliances include a Web-based interface that enables you to connect to the firewall from any computer on your network using a browser. You can then customise the firewall settings to suit your needs.
Alternatively, you can set up a server computer to function as a firewall computer (SSL). The server can run just about any network operating system, but most dedicated firewall systems run Linux. Whether you use a firewall appliance or a firewall computer, the firewall must be located between your network and the Internet, firewall is connected to a network hub, which is, in turn, connected to the other computers on the network. The other end of the firewall is connected to the Internet. As a result, all traffic from the LAN to the Internet and vice versa must travel through the firewall.
SSL (Secure Sockets Layer) is a method of encrypting TCP/IP transmissions—including Web pages and data entered into Web forms—en route between the client and server using public key encryption technology. If you trade stocks or purchase goods on the Web, for example, you are most likely using SSL to transmit your order information. SSL is popular and used widely. The most recent versions of Web browsers, such as Firefox and Internet Explorer, include SSL client support in their software.
If you have used the Web, you have probably noticed that URLs for most Web pages begin with the HTTP prefix, which indicates that the request is handled by TCP/IP port 80 using the HTTP protocol. When Web page URLs begin with the prefix HTTPS (which stands for HTTP over Secure Sockets Layer or HTTP Secure), they require that their data be transferred from server to client and vice versa using SSL encryption. HTTPS uses the TCP port number 443, rather than port 80. After an SSL connection has been established between a Web server and client, the client’s browser indicates this by showing a padlock in the lower-right corner of the screen in the browser’s status bar, in the URL textbox, or elsewhere.
Each time a client and server establish an SSL connection, they also establish a unique SSL session, or an association between the client and server that is defined by an agreement on a specific set of encryption techniques. An SSL session allows the client and server to continue to exchange data securely as long as the client is still connected to the server.
An SSL session is created by the SSL handshake protocol, one of several protocols within SSL, and perhaps the most significant. As its name implies, the handshake protocol allows the client and server to authenticate (or introduce) each other and establishes terms for how they will securely exchange data. For example, when you are connected to the Web and you decide to open your bank’s account access URL, your browser initiates an SSL connection with the hand shake protocol.
Anti-malware software – This is similar to anti-virus software in that it is designed to block attacks internally and externally. What they do is look for specific coding within files that allows a program to access the internet surreptitiously. This is usually spyware, malware and adware. These usually enter computer systems as cookies, that allows the program to temporarily turn off the firewall and allow a program to crawl onto the system. When the file becomes active it will then access the Internet to pass on information.
An anti-malware program intercepts these external IP calls and blocks them, then tracks the cause back and will then defend against further attacks by neutralising the external connection abilities of the program and then quarantining the program and code.
Examples of such programs are AdAware and Spybot. Because of the increase in malware that is available, the .dat files of these programs and others are updated when there are new threats. These programs and othes are 99% effective, combined with a good virus checker they are 99.9% effective, but it is still that 0.1% that gets through. With SSL protection combines this is even more secure.
A digital certificate is a password-protected and encrypted file that holds an individual’s identification information, including a public key. In the context of digital certificates, the individual’s public key verifies the sender’s digital signature. An organisation that issues and maintains digital certificates is known as a CA (certificate authority). For example, on the Internet, certificate authorities such as VeriSign will, for a fee, keep your digital certificate on their server and ensure to all who want to send encrypted messages to you (for example, an order via your e-commerce site) that the certificate is indeed yours.
The use of certificate authorities to associate public keys with certain users is known as PKI (public key infrastructure).
Task 11 – Describe to a new member of staff within a report, identifying the Software Benefits of Software Protection to organisation’s resources and data.
Protection Measures – Logical (Technical) - Backups
Backup utilities - these do not stop a problem from happening but limit the damage and downtime of the damage. There are all sorts of backup utilities, those that backup partially, fully, those that back up regularly, those that are set on a timer, software backups and hardware backups.
Examples of software backup lowest level include timed backup setting in Microsoft applications. These can be set by the user. Higher level backups utilities include server backup programs on Novell and Windows Server clients that set backup times and data flows at the end of each day to secure networks. These tend to backup onto an external hard drive, tape drive or different server.
The benefits of these are the obvious, secures against data loss, but there are other reasons, because of the DPA, because it is good policy, because of previous losses and learning the lessons included.
Encryption of files and folders and Encryption of entire discs – Encryption is the highest form of protection that can be put on information and the most essential when information is more valuable. Encryption is east as well, password protecting can be hacked but encryption adds a higher level of security. Basically it scrambles the information, the higher the bit encryption (16, 32, 64, 128 etc.) the more times it scrambles the information. This is true for files, folders and entire hard drives.
Questions will come up about how often you should backup, immediately, nightly, weekly and what form, onsite, offsite, cloud, each has their merits and each can be argued.
Protection Measures – Logical (Technical) - Obfuscation
Obfuscation - is the obscuring of intended meaning in communication, making the message confusing, willfully ambiguous, or harder to understand. It may be intentional or unintentional and may result from circumlocution (yielding wordiness) or from use of jargon.
The numerous software protection techniques have been developed and one of such software protection techniques is code obfuscation. The code obfuscation is a mechanism for hiding the original algorithm, data structures or the logic of the code, or to harden or protect the code (which is considered as intellectual property of the software writer) from the unauthorized reverse engineering process.
In general, code obfuscation involves hiding a program's implementation details from an adversary, i.e. transforming the program into a semantically equivalent (same computational effect) program, which is much harder to understand for an attacker.
Protection Measures – Logical (Technical) - Encryption
Prevents confidential data from being read by unauthorised hackers. Makes it incomprehensible to anyone who does not hold the ‘key’ to decode it.
- Transposition - characters switched around, how many times depends on the level of encryption
- Substitution - characters replaced by other characters, again , depends on the levels of encryption, the higher the level the more times it is switched.
Cryptography serves 3 purposes:
- Helps to identify authentic users by clarifying the ownership or identity of the user first.
- Prevents alteration of the message by locking the information from write or rewrite access.
- Prevents unauthorised users from reading the message but refusing to open, be opened, be inserted or read through another program.
- Sent with, sent after, kept on network of user and client. Without the key the information cannot be seen or the stages of hacking take longer.
Task 12 – Describe to a new member of staff within a report, identifying the Software Benefits of Encryption and Backups to organisation’s resources and data.
Protection Measures – Logical (Technical) - Passwords
Choosing a secure password is one of the easiest and least expensive ways to guard against unauthorized access. Unfortunately, too many people prefer to use an easy-to-remember password.
If your password is obvious to you, however, it may also be easy for a hacker to figure out. The following guidelines for selecting passwords should be part of your organisation’s security policy. It is especially important for network administrators to choose difficult passwords, and also to keep passwords confidential and to change them frequently.
Tips for making and keeping passwords secure include the following:
- Always change system default passwords after installing new programs or equipment. For example, after installing a router, the default administrator’s password on the router might be set by the manufacturer to be “1234” or the router’s model number.
- Do not use familiar information, such as your name, nickname, birth date, anniversary, pet’s name, child’s name, spouse’s name, user ID, phone number, address, or any other words or numbers that others might associate with you.
- Do not use any word that might appear in a dictionary. Hackers can use programs that try a combination of your user ID and every word in a dictionary to gain access to the network. This is known as a dictionary attack, and it is typically the first technique a hacker uses when trying to guess a password (besides asking the user for her password).
- Make the password longer than eight characters—the longer, the better. Some operating systems require a minimum password length (often, eight characters), and some might also restrict the password to a maximum length.
- Choose a combination of letters and numbers; add special characters, such as exclamation marks or hyphens, if allowed. Also, if passwords are case sensitive, use a combination of uppercase and lowercase letters.
Change your password at least every 60 days, or more frequently, if desired. If you are a network administrator, establish controls through the NOS to force users to change their passwords at least every 60 days. If you have access to sensitive data, change your password even more frequently.
- Do not write down your password or share it with others.
- Do not reuse passwords after they have expired.
- Use different passwords for different applications. For example, choose separate passwords for your e-mail program, online banking, remote access connection, dial-up connection, and so on. That way, if someone learns one of your passwords she won’t necessarily be able to access all of your secured accounts.
Password guidelines should be clearly communicated to everyone in your organization through your security policy. Although users might grumble about choosing a combination of letters and numbers and changing their passwords frequently, you can assure them that the company’s financial and personnel data is safer as a result. No matter how much your colleagues protest, do not back down from your password requirements. Many companies mistakenly require employees only to use a password, and don’t help them choose a good one. This oversight increases the risk of security breaches.
Task 13 - Describe to a new member of staff within a report, identifying the Software Benefits of Passwords to organisation’s resources
Protection Measures – Logical (Technical) - Wireless security
Wireless security - this is one of the more obvious risks companies can deal with but also one of the more common problems that occur when hackers try to gain access to company systems. Wireless security is simple, it means using either WPA, WPA2 or WEP security protocols on a wireless connection, setting a user secure password and limiting down the use of that password within the company.
To not have a password is called untethered, this will allow users to connect like it is a public network and use the network connection to download, install and do other illegal transactions. At the end of the day it is the width of the company’s broadband usage and the company’s legal implications on copyright that are the bigger risk to standard user.
For hackers this allows them to gain a backdoor access onto a company system and although there can be restrictions, it means they are already through the first door.
Manufacturers set up all of their new routers with the same default username and password. The username is often simply the word "admin" or "administrator." The password is typically empty (blank), the words "admin," "public," or "password," or some other simple word. Click here for the dangers.
Companies can increase their network security by adding in electronic controls to combat illegal access with:
- Call-back and Handshaking. E.g. generate random number and require user to perform some action (multiply first and last numbers together)
- Encryption and network Cipher Keys or One time Key registration for users
- Text_Captcha boxes for progression to stop hacking websites from randomising logins and DOS attacks.
- More secure transfer protocols on networks such as:
- SSH-TRANS, a transport layer protocol;
- SSH-AUTH, an authentication protocol;
- SSH-CONN, a connection protocol.
Task 14 - Describe to a new member of staff within a report, identifying the Software Benefits of Wireless protection and Electronic Controls to organisation’s resources
For this you need to define the software security measures and controls in place and state in your opinion the effectiveness of these security measures. Use news and articles to support your findings.
Task 15 – Discuss the effectiveness of Software, Control and security measures used in a school or business.
Protection Measures – Policies
The internet has samples of model security policies which are actually in use and the centre will have one too. Learners should research these and obtain copies of one or two comparing their ideas for policies and procedures with those from a real organisation such as the learning centre or an identified organisation. The learner will develop their reasoning so that they are able to move from general discussion to evaluating policies and guidelines which have been designed for a specific use within an organisation.
The learner should have a clear understanding of the type of organisation they are working with such as its functions, locations(s) and types of data it uses and then be able to review current policies and procedures for the organisation making recommendations for improvements. The learners should also consider how an organisations policies and procedures are linked to an individual’s contract of employment and the responsibilities and liabilities these place on the employee.
With regards to legislation learners should focus on what each of the Acts means, the purpose of the act and the implications for an organisation or individual. With constantly changing legislation learners should review and consider new or outline legislation or revisions that may affect an organisation in this way.
Every company that uses computers, email, the internet, and software on a daily basis should have information technology (IT) policies in place. It is important for employees to know what is expected and required of them when using the technology provided by their employer, and it is critical for a company to protect itself by having policies to govern areas such as personal internet and email usage, security, software and hardware inventory and data retention. It is also important for the business owner to know the potential lost time and productivity at their business because of personal internet usage.
Without written policies, there are no standards to reference when both sticky and status quo situations arise, such as those highlighted above.
So, what exactly are the IT policies that every company should have? There are six areas that need to be addressed:
- Acceptable Use of Technology: Guidelines for the use of computers, fax machines, telephones, internet, email, and voicemail and the consequences for misuse.
- Security: Guidelines for passwords, levels of access to the network, virus protection, confidentiality, and the usage of data.
- Disaster Recovery: Guidelines for data recovery in the event of a disaster, and data backup methods.
- Technology Standards: Guidelines to determine the type of software, hardware, and systems will be purchased and used at the company, including those that are prohibited (for example, instant messenger or mp3 music download software).
- Network Set up and Documentation: Guidelines regarding how the network is configured, how to add new employees to the network, permission levels for employees, and licensing of software.
- IT Services: Guidelines to determine how technology needs and problems will be addressed, who in the organization is responsible for employee technical support, maintenance, installation, and long-term technology planning.
Task 16 – Describe for your School why there is a need for an IT policy to be in place and the dangers that exist that the policy is designed to protect against.
On a larger scale, company IT policies tend to be standard across sites, the same IT policy in Subway in Chislehurst will be the same as the Subway in Ballymena, Corby, Glasgow. The risks are the same, the policies vary slightly depending on the nature of the business, the information the company manages and the security threats that have been successful or attempted from the past.
Staff at these companies will be aware of these policies, specifically when it comes to more sensitive information. Most companies get their staff to sigh an AUP, Acceptable Use Policy. In schools there should be one by the door to every classroom that has a computer.
Companies write these to protect themselves and their customers. Using two policies you will need to analyse, compare and review these based on a range of criteria that needs to be set.
Policies are there to protect customers information, staff details and to protect the company. Writing a policy document makes it legal. All new staff read these and sign an agreement that they understand it. Then it become official. They breach the policy, they signed the agreement. They download at work, they signed the agreement, they look at things they should not, you can see where this is going. Companies need to be protected, policies need to be updated when things change so the company remains protected.
And everyone is affected. When a student starts a school they sign the agreement, or their parents do, as do staff. This means we follow etiquette, we do not download, we do not abuse the emails, we do not look at inappropriate materials on the internet. Lowest case scenario is a verbal or written warning, or the facility is blocked, email is suspended. And as all emails and Internet traffic is monitored with a produced log and Internet trail, and as we know this, we abide by the rules.
Click here for statistics on why these policies are necessary.
Task 18 – Using 2 different business models and the Report Template, define the Policy Purpose and Policy Audience.
While usernames will be considered public information, passwords are the first line of defence at providing for computer and information security. It is inevitably the individual’s responsibility to maintain the security of their password while maintaining a certain level of complexity within that password as not to allow for breeches of that Username. Usernames and password management is a significant part of an overall solution to improve security. The overall protection of the key assets must begin with the individual who has access to them.
Policies outline how Usernames will be created and how a user will be required to choose a password that is considered to be strong given best practices as they exist currently. Additional requirements are usually outlined in policies as will the creation of default passwords, changing of passwords, and resetting of passwords. Each user of computing resources is expected to stick to their company policy.
Click here for statistics on why poor policies with passwords.
Task 19 – Using 2 different business models and the Report Template, define the Companies Policy on Passwords procedures.
Company policies are designed for a reason and the one particular danger that companies always come up with is the effective and abusive use of emails at work. There are two dangers involved in these, those who use emails trivially and those who use email maliciously. Company policy tries to limit the first and demands a halt to the second.
Ineffective use of emails can include sending trivial emails on company time, sending materials that are wrong, images, comments, slanders, using bad language, using inappropriate layouts and manners when sending emails to customers. Etiquette, restrictions and monitoring can manage these.
Malicious use of emails is more dangerous, cyber bullying, threatening behaviour, the spreading of materials such as images, viruses, leaked information, malware etc. These are harder to stop as the emails are already internal but they can cause damage to the company, prosecutions, reputations being lost. Click here and here for the damage though inadvertent use.
Task 20 – Using 2 different business models and the Report Template, define the Companies Policy on Email procedures.
Cyber Bullying is common in the outside world, emails, texts, Facebook comments, tweets etc., it is very easy to get and use IT for these purposes. There are news articles all the time that pick up on these. Policies within businesses are written to limit this down, when someone prosecutes, a company can become involved if it happens in the workplace and is not dealt with. The workplace is a hotbed of tensions, of personalities and potential problems. It is in the companies best interest to reduce down their involvement in this.
Monitoring is the simplest ICT method, all emails and stored, all internet activity monitored, audit trails and network logs will track all internet activity that goes through the system. Company phones and conversations with clients, customers and suppliers are recorded etc. this constant monitoring and pervasive tagging may seem over the top but it works, staff who are afraid of getting caught will limit their activities.
Task 21 – Using 2 different business models and the Report Template, define the Companies Policy on Cyber Bullying and tracking procedures.
Within every company there is sensitive information, staff details, customer details, reports, staff reviews, medical information and other information that needs to be protected under the Data protection Act. This is a given, information needs protecting but sometime sit also needs to be seen and not changed. Access privileges are set on two levels, staff rights of access and file rights of access.
For staff, limiting down folders, hiding information, storing things in different locations etc. this makes it more difficult to illegally or accidentally access, giving staff access privileges such as read rights, copy rights, and delete rights set the network controls on how those files are seen and read. For instance the network manager can see everything because they need to set the rights but is bound by a code of confidentiality, a standard office worker can see some customer information but only through granted access as related to their job. Abusing this privilege or attempting to access materials above their pay grade is considered a breach of the Computer Misuse Act.
Task 22 – Using 2 different business models and the Report Template, define the Companies Policy on Access Privileges procedures.
Backups are vital within a company and disaster recovery plans are linked to the levels, depth and location of these backups. To lose a connection for a minute for some companies can be annoying, possibly expensive, to be down for a day can cause a serious drop in profitability, to be down for a week will break a lot of companies. This is why businesses draw up a disaster recovery plan, and why backing up information, hourly, nightly and weekly is vital to this.
How fast a company can recover its systems is the key to this, PSN network was down for several days costing the company in the range of $18bn in reputation and compensation, RBS set aside £125m because of its ICT loss in February 2013. The IT disaster recovery plan after the Kobe Earthquake in 1995 was immense, a similar earthquake like March 2011 was less expensive because companies planned for it, had backups, had external sites, had cloud and network storage. For some companies the recovery time was hours.
By law, schools backup their files nightly and weekly, keep a backup in a fireproof safe and store a copy of the network off-site. Think of what a large company with a turnover of 100 times a school will need to do.
Task 23 – Using 2 different business models and the Report Template, define the Companies Policy on Backup and Disaster Recovery procedures.
Every new employee signs an AUP agreement, even if they do not physically write it down, all companies with computers have them. The physical and software security on a network is designed to almost all of the breaches that might happen. There are programs installed on most systems that help this, Novell Client, IIS, IP addressing, Login names and passwords, Firewalls, Virus Checkers, Proxy server software.
Just having the agreement is half the cure, staff can be fired for computer misuse, they sighed the AUP, they can have their job changed, they signed the AUP, they can have privileges removed, they signed the AUP.
Setting user levels also benefits the network Security, setting protocols and rights of access. And then there is external security, SSL, remote access, restricted service access, limited external access to files and more companies are moving across to cloud security for external files. At the end of the day, any company with more than 20 staff will have a network team that spends their days securing the network, finding new breaches, blocking new gaps, locking down new VPN’s, updating banned logs and monitoring incoming, outgoing and internal network activity.
Task 24 – Using 2 different business models and the Report Template, define the Companies Policy on Network Security and Policy procedures.
Just as policies are in place, computers are locked, windows are protected, software secure, then someone steals the box. Laptops, tablets, phones, memory sticks, portable hard drives, keyboards, mice and even the cables that connect them are at risk. Physical controls vary from company to company depending on the threat and the expense. A school would have locks on the doors, locks on the back of the computer and perhaps smoke alarms and movement sensors in the room. But this is not enough to stop theft or damage and for every computer missing or machine down due to partial or complete damage, there is a loss of business function. So we lock the windows, close the curtain, secure the rooms so no-one is in there without staff presence, security pen mark, infrared marking, we check each room after the lesson is done. But there are still things missing, mice, keyboards, cables unplugged etc.
In larger companies the physical controls also include card swipes, keypad security, fingerprint logins, laptop locks, video cameras, grills, screen protectors, guards, dogs, RFID tracking. Some companies even put silent alarms on the doors that destroy hardware that is removed from the room like banks and cash.
At the end of the day physical prevention and being seen to be preventing is a good deterrent, specifically against opportunist thieves.
Task 25 – Using 2 different business models and the Report Template, define the Companies Policy on Physical Controls procedures.
IT asset management is an important part of any business strategy. It usually involves gathering hardware and software inventory information which is then used to make decisions about hardware and software purchases. IT inventory management helps a company manage their systems more effectively and saves time and money by avoiding unnecessary asset purchases and promoting the better use of existing resources. Businesses that develop and maintain an effective IT asset management program further reduce the incremental risks and related costs of advancing IT demands on projects based on old, incomplete and/or less accurate information.
Hardware asset management is the management of the physical components of computers and computer networks, from acquisition through disposal. Common business practices include request and approval process, procurement management, life cycle management, redeployment and disposal management.
Think of it as replacing broken stuff before it is broken, ordering paper before the paper runs out, replacing IT equipment every 3 years, MOT’ing current hardware, hot-swopping, cascading, and finding new tools for old jobs. Think bathroom, think toilet paper, think Andrew Puppy.
Task 26 – Using 2 different business models and the Report Template, define the Companies Policy on Asset Management procedures.
User Responsibility – The AUP policy lays down the rules but these are ethereal, no frivolous emails, but what is frivolous. No Internet Searching, but what if it is necessary, how much should be spent finding the right information and what if the link goes somewhere it should not, what about Pop-Ups. And printing, single sided or double, colour or B&W.
Self control is a big issue in business, the Water Cooler philosophy, how much down time can a member of staff take advantage of to alleviate stress. Personal responsibility is something that is ingrained into staff in most companies, the love of the job, the devotion to the employer. Happy staff make productive staff. Good internet, email and file etiquette is hammered home but it is still something that is specific for the task. If it was the last page in the printer, would you go out of your way to put more paper in.
And at what point is it not your job, if a mouse is unplugged should you plug it back in. And tomorrow, and the next day, and every time a certain person walks past your desk. Should you replace the toner cartridge, should you click on the repair button in Windows, should you delete files on a shared drive just because you can.
This may all seem trivial but the self responsibility issue in companies can affect productivity, morale, personal space, and can affect customer care.
Issue Reporting – Most Intranets have a link on them to report a network issue, but all networks have software for recording their own issues. Tracking through network logs, web logs, email logs etc. and linking this through the portal allows a network manager to allocate resources and staff to repairs as they happen. For instance a printer log will tell the system when the cartridge is running low or paper is running out, a linked version will then order a replacement.
Similarly a web log records activity, looks at patterns, checks visited sites for issues and puts into place protocols that block them or caches them.
Staff reporting of issues pre-empts this, reducing down the need to wait for a fault report and allows a quicker turnover of repairs. Good business practice is to take advantage of both of these, personal and log, in order to reduce downtime, improve efficiency and alleviate staff stress.
Task 27 – Using 2 different business models and the Report Template, define their Policy on User Responsibility and Issue Reporting procedures.
Using a case study, involving an organisation that has suffered a breach of information security, or base this task on a real example from the Information Commissioner’s Office, create a report on how the policies listed below would have been effective in preventing the breach. Recommend modifications to policies and guidelines for managing organisational IT security issues.
Task 28 – Using a business models and the Report Template, recommend modifications to policies and guidelines for managing organisational IT security issues.
Consolidation of Protection Measures
Over the last few years, companies in every industry sector around the globe have seen their sensitive internal data lost, stolen or leaked to the outside world. A wide range of high-profile data loss incidents have cost organizations millions of dollars in direct and indirect costs and have resulted in tremendous damage to brands and reputations.
Many different types of incidents have occurred, including the sale of customer account details to external parties and the loss of many laptops, USB sticks, backup tapes and mobile devices, to name just a few. The vast majority of these incidents resulted from the actions of internal users and trusted third parties, and most have been unintentional.
As data is likely one of your organisation’s most valuable assets, protecting it and keeping it out of the public domain is of paramount importance. In order to accomplish this, a number of company controls must be implemented, combining strategic, operational and tactical measures.
However, before company controls can be effectively implemented, your organization must understand the answer to these three fundamental questions:
- What sensitive data do you hold?
- Where does your sensitive data reside, both internally and with third parties?
- Where is your data going?
The Ernst & Young: Data loss prevention document (page 15, What about policies and standards?)
Task 29 – Read page 15 of the policy attached here. Discuss whether you think these are appropriate, actionable, measurable for the type of Data stored and risk of loss from within and without the company.
From the range of scenarios below, select the most appropriate measures in each case and explain the reasons for each selection.
- Computer technician has noticed that there has been unusual internet activity traffic after school time and this is impacting on the schools bandwidth.
- Students are playing Counterstrike on the schools network during lunchtime and causing disruption in the library.
- Teachers issued school laptop has software installed on it that is not covered under the schools license.
- A teacher has lost their monthly reports off the shared network drive.
- Laptops from a laptop bank have been stolen from a mobile hut classroom.
- Students have been accessing Facebook through a VPN during lesson time.
- Teachers are showing a recent cinema film on the last days of term.
Task 30 - Identify and describe the protection measures suitable for a given situation within an organisation or for a given individual, including protection measures of physical, logical and policies.