8 – Protecting Data and Security Component 2

Assessment Outcomes 8A - Explain the special security and integrity problems which can arise during online updating of files. 8B – Describe the dangers that can arise from the use of computers to manage files of personal data.

Crib Topics: Value of Data Causes for Loss of Data Data Security, Privacy, and Integrity Definitions Methods of Keeping Data Secure Legislation for Data Protection

Value of Data Data is valuable for a number of reasons. It takes time to compile, a long time! It takes time to input the data into the computer.  To recompile data or re-enter it into a computer is expensive because you have to pay someone to do it, when they could be doing something far more productive for your company. You need information about an order placed with your company so that you can process the order and then be paid for it - that's how your company makes a profit! You need to know when to pay your bills and taxes so that you don't get taken to court. You need to be able to chase up people who haven't paid you so that you can pay your bills and keep trading.

Causes for Loss of Data Hardware failure, such as the hard drive failing Software failure and corrupting data on the hard drive Losing data because of a virus A hacker alters or deletes data for 'fun' or for personal gain Espionage by a rival company or country The equipment that the data was on stolen by a thief Data could be accidently deleted by an employee Data could be deliberately deleted or stolen by an employee There might be a natural disaster like an earthquake

Security, Privacy, and Integrity Definitions Security of data This term relates to protecting data from unauthorised users. It is concerned with the steps that are taken to ensure that only those people with the need and right to view data can actually do so. It covers protecting access to data, picking up accidental or malicious changes to data that compromises data integrity and also the steps taken to protect the systems that data is held on. Privacy of data This term relates to our expectation that our data belongs to us and nobody else. We can give permission for our data to be used by somebody else, and we should be made aware that if an organisation is collecting data about us, we know in advance what they will do with it but ultimately, we own our own data and expect it to be protected from viewing by unauthorised viewers. We expect organisations to have systems in place that reduce the chance of unauthorised access to our private data. Integrity of data This term relates to our expectation that organisations that keep data about us take proactive steps to ensure that the data is accurate and up-to-date. When data is collected and processed, we expect that data to be correct. Organisations should have procedures to ensure that any accidental or malicious changes to data are detected and corrected in a timely fashion. 

Security Methods Security measures to protect systems and data An organisation can take a number of practical steps to keep information private and confidential:   It can ensure that a named person is responsible for ensuring that the organisation's DPA policy is enforced efficiently. This would ensure that employees are very clear about their responsibilities. The Data Protection Act should be followed to the letter. This means, for example, that data should be deleted when it isn't needed anymore and shouldn't be sent to countries that don’t have legislation comparable to the DPA 1998. The organisation should ensure that access to the hardware that holds the data is restricted. This could be done by ensuring the hardware is in locked, secure rooms that can only be accessed by authorised users. The organisation could ensure that data files are password-protected, to ensure that unauthorised people who gain access to the files can't open them. Data could be encrypted using a software encryption tool such as PGP (Pretty Good Privacy). This means that even if the data is accessed or intercepted whilst being emailed, it can't actually be read. The organisation can ensure that the back-up policy in the organisation is being followed and that the back-up copies of data are themselves held securely and in encrypted form. Regular checks on computers for spyware, for example, should take place.

Security Legislation: Data Protection Act (1998) Maintaining the privacy of data The Data Protection Act 1998 requires that an organisation take steps to keep data secure. Any computer system that is accessible to people, either physically or over a network, has a problem - how does it make sure that only those people who should have access to data or resources on a network can do so and everyone else is excluded? How can it ensure that it keeps data secure? There are a number of ways to do this:   Logins and passwords Firewalls, proxy servers and authorisation. Firewalls and authorising a user from outside a LAN. Encryption techniques. Authentication techniques using digital signatures and digital certificates.

Methods of Securing Data Logins and Passwords Views of Data Firewalls Proxy Servers Encryption

Logins, Passwords, and Views of Data Computer systems which hold data should not be accessed by just anyone. Only an authorised user should be able to log on to the system. This means that they should have their own login and password. In addition, just because somebody can log in to a computer system, doesn't mean they should be able to access all of the data on it. When somebody sets up a new login and password for a new employee, they also have to set up what folders and files that person can view and what they can do with them, what rights they have e.g. to view a file, delete a file, amend a file and so on. This is known as the 'view of data' somebody has. Although everyone in organisation can access the same computer system with all of the data, each employee sees their own personal view of that data, depending on what job role they perform and what data they need to carry out that job. They cannot see any data that has nothing to do with their job role. Teachers, for example, can get access to a student's academic records and details about how to contact home, but they have no access to any medical records that the school may have about you on its system. On the other hand, the school nurse will be able to access your medical records but not your academic ones. The Head may be able to access all data. 

Firewalls, proxy servers and authorisation A Firewall, according to the British Computing Society's 'A Glossary of Computing Terms', "is a computing program used in a large computing system to prevent external users (even if authorised) getting access to the rest of the system. Network users' access is restricted to a small part of the system and the firewall software prevents a user (including unauthorised users) accessing data or executing any programs in the rest of the system". When a user on a network wants to access data or applications held in a main server, it sends a request for the information. The request is intercepted by the firewall program sitting in a proxy server. A proxy server is simply a server that has been set up to control access to the main server. The firewall program will look at the request and the information about the user that is automatically attached to it. It then checks both that the user is valid and that they have the right to the information they are requesting. It is able to do this because it holds a database of all the users and their associated rights - it just needs to look up its database! If the request is valid, then the firewall will send a message to a proxy server to retrieve the requested data. The proxy server will then access the data from the main server and pass it out through the firewall to the user. The user cannot access the main server directly but must go through the firewall and proxy server.

Encryption As a last line of defence, sensitive data should be encrypted. Encryption is a technique that takes data and scrambles it so that it doesn't make any sense until you decrypt the message. Users may want to encrypt data for various reasons. For example, data may be encrypted as part of a company's procedures to comply with the Data Protection Act (to keep data secure). It may be that sensitive emails are being sent, for example holding medical, financial, national security or legal information. Remember, emails are sent across the Internet using packet switching. There are programs that hackers can use to 'grab' packets on a network. Since email is simple text, it would be easy to read a packet. It is also possible that you could send information to the wrong address or that messages end up in the wrong place by accident.