Unit 7 – Organisational Systems Security Organisation rules and guidelines Unit 7 – Organisational Systems Security

Employment contracts Explain how employment contracts can affect security.

Employment contracts and security Hiring policy Separation of duties Ensuring compliance/ disciplinary procedures Training and communication of responsibilities

HCT ‘Recruitment & Selection Read the policy (on wiki) Identify areas you think reflect on security

Hiring policy Recruitment and promotion National employment laws Should check potential employee’s: Background Previous employment record References Criminal record Ability to complete an assessment task Probationary period

Separation of Duties What do you think this means? How can it affect security?

Separation of duties Avoid reliance on one individual Give critical tasks to team, each task has a knowledgeable deputy Applies equally to knowledge of system Includes: VPN Firewall Anti-virus System overview

Disciplinary procedures Task: A colleague has suggested that you have downloaded an expensive application from the company’s server and are going to use it at home. This is a breach of company policy and the law. What should happen? Describe the steps you think should occur.

Disciplinary procedures Any infringement needs to be dealt with fairly Process infringements to avoid false accusations. Possible steps: Independent investigation Suspension (with pay) Police involvement (any criminal matter)

Training and Communication Employer has responsibility: to train staff to maintain regular communication To ensure staff are aware of their responsibilities How can this be accomplished?

Task 2 (P5) In this section of your report you should explain how employment contracts can help security. Give examples. This section of your report should be at least 500 words in length. Hints: You should cover: Hiring policy Separation of duties Disciplinary procedures Staff training and responsibilities

Task 3 (P6) In this section of your report you should explain the legislation related to security and privacy of data. This part of the report should be about 500 words in length. Hints: You should cover: Computer Misuse Act (1990) Copyright, Designs and Patents Act (1988) Data Protection Acts (1984, 1998, 2000) Freedom of Information Act (2000)

Task 3 When you introduce the legislation you are talking about use its full title including the date (and capital letters) E.g. Computer Misuse Act (1990) You may quote relevant sections of the act. E.g. This act covers 4 offences “Unauthorised access with intent to commit or facilitate commission of further offences.” Make sure you reference accurately. Explain in your own words what the act does: e.g. This act makes it illegal to interfere with a computer unless authorised to do so. orientated

Data Protection Act 1998 Framework for handling data Gives individuals right to know what info is held If you process data you must register with DPA registrar and ensure that personal information is: Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up-to-date Not kept for longer than necessary Processed in-line with your rights Secure Not transferred to other countries without adequate protection

Data Protection Act 1998 What do the eight principles of the Data Protection Act 1998 cover?

Freedom of Information Act 2000 Access to official information Individuals or organisations have right to request information from: Any public authority – including local and central government The police NHS Colleges and schools They have 20 days to provide the information. May refuse if the information is exempt eg if releasing the information could prejudice national security or damage commercial interests. Examples: https://www.whatdotheyknow.com/ Personal information is NOT covered by this act!

Computer Misuse Act 1990 Three offences: Unauthorised access to any computer programme or data eg using someone else’s logon ID and password Unauthorised access with intent to commit a serious crime Unauthorised modification of computer contents. I.e. impairing the operation of a computer, a program or the reliability of data, includes preventing access to any program or data. E.g. the introduction of a virus, modifying another users files or changing financial or administrative data. Minor changes to tighten up act introduced through Police and Justice Act 2006, made unauthorised acts with intent to impair the operation of a computer illegal.

Copyright, Designs and Patents Act (1988) If you didn’t create it, it isn’t yours! No official registration system Rights start as soon as something is recorded, written, painted etc Don’t need Copyright symbol © Duration 70yrs after death for written work 50yrs from 1st recording for sound recording 70yrs after death for films (director/screenplay/dialogue/soundtrack) http://www.is4profit.com/business-advice/general-advice/copyright-basic-facts.html