ICT Security Policies Security Policies What is Security?What is a policy? The aims or plan of action of a person or group. School OED Precaution against.

Slides:



Advertisements
Similar presentations
Computer Fraud Chapter 5.
Advertisements

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
A-Level Computing data damage and prevention. Objectives To know the dangers associated with a computer system To understand the methods of prevention.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Crime and Security in the Networked Economy Part 4.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
9 - 1 Computer-Based Information Systems Control.
Security, Privacy, and Ethics Online Computer Crimes.
4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.
© 2003, Educational Institute Chapter 12 Systems and Security Maintenance Managing Technology in the Hospitality Industry Fourth Edition (469T or 469)
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
FIT3105 Security and Identity Management Lecture 1.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Factors to be taken into account when designing ICT Security Policies
By Mrs. Smith DATA INTEGRITY AND SECURITY. Accurate Complete Valid Data Integrity.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
New Data Regulation Law 201 CMR TJX Video.
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.
Security Equipment Equipment for preventing unauthorised access to data & information.
Prepared by:Nahed AlSalah Data Security 2 Unit 19.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
UNIT 3C Security of Information. SECURITY OF INFORMATION Firms use passwords to prevent unauthorised access to computer files. They should be made up.
Data Security GCSE ICT.
Security The Kingsway School. Accidental Data Loss Data can be lost or damaged by: Hardware failure such as a failed disk drive Operator error e.g. accidental.
Protecting ICT Systems
Disaster Planning and Security Policies. Threats to data DeliberateTerrorism Criminal vandalism/sabotage White collar crime Accidental Floods and fire,
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.
Chapter 10: Computer Controls for Organizations and Accounting Information Systems
Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.
Data Confidentiality. Learning Objectives: By the end of this topic you should be able to: discuss the need to keep data confidential explain how data.
1 I.Assets and Treats Information System Assets That Must Be Protected People People Hardware Hardware Software Software Operating systems Operating systems.
GCSE ICT Viruses, Security & Hacking. Introduction to Viruses – what is a virus? Computer virus definition - Malicious code of computer programming How.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
1.1 System Performance Security Module 1 Version 5.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
System Security Chapter no 16. Computer Security Computer security is concerned with taking care of hardware, Software and data The cost of creating data.
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Physical ways of keeping your system secure. Unit 7 – Assignment 2. (Task1) By, Rachel Fiveash.
13.6 Legal Aspects Corporate IT Security Policy. Objectives Understand the need for a corporate information technology security policy and its role within.
Security PoliciesIT3 Security Policies. IT3 All companies adopt ICT Security Policies to protect themselves against:- Bad publicity Security threats Loss.
Data protection This means ensuring that stored data does not get changed, removed or accessed accidentally or by unauthorised people. Data can be corrupted,
SECURITY OF DATA By: ADRIAN PERHAM. Issues of privacy; Threats to IT systems; Data integrity; Standard clerical procedures; Security measures taken to.
Topic 5: Basic Security.
Network Security & Accounting
Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,
Chap1: Is there a Security Problem in Computing?.
MANAGING RISK. CYBER CRIME The use of the internet and developments in IT bring with it a risk of cyber crime. Credit card details are stolen, hackers.
CONTROLLING INFORMATION SYSTEMS
Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.
Protecting Data. Privacy Everyone has a right to privacy Data is held by many organisations –Employers –Shops –Banks –Insurance companies –etc.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Unit 32 – Networked Systems Security
Learning Intention Security of Information. Why protect files? To prevent unauthorised access to confidential information To prevent virus/corruption.
Primary/secondary data sources Health and safety Security of Data Data Protection Act.
Welcome to the ICT Department Unit 3_5 Security Policies.
ANS File Security Chapter # 29 ( Prepared by : Mazhar Javed ) 1 Data Security “Protection against loss, corruption of, or unauthorized access of data”
8 – Protecting Data and Security
Securing Information Systems
Unit 13 IT Systems Troubleshooting and Repair Anne Sewell
UNIT 19 Data Security 2.
Managing the IT Function
Data Security GCSE ICT.
Planning and Security Policies
INFORMATION SYSTEMS SECURITY and CONTROL
Security of Data  
Operational procedures for preventing misuse
G061 - Network Security.
Presentation transcript:

ICT Security Policies Security Policies What is Security?What is a policy? The aims or plan of action of a person or group. School OED Precaution against theft. School OED Keeping something safe and secure. What do we need to apply policies to?

ICT Security Policies ICT Systems What are the main features of an ICT system in a business?

ICT Security Policies ICT systems in a business consist of: Hardware (Computers, monitors, peripherals) Software (Operating systems, applications) Data ( The information the company needs in order to work ie customer orders) Data Storage (Hard drives, CD, DVD, flash memory) Communication (Networking, Intranet, Internet) People who use them (Key to disk operators, managers) What are the threats to data and systems?

ICT Security Policies Threats to data Deliberate Terrorism Criminal vandalism/sabotage White collar crime (Theft) Accidental Floods and fire, Accidental altering of data Natural disasters

ICT Security Policies Companies must Ensure data, hardware and software is not lost or damaged. Restore communication systems as quickly as possible in the event of a problem. What are the possible consequence of these threats becoming a reality?

ICT Security Policies Any of the threats previously mentioned could result in the loss of systems and data; leaving the organisation unable to function. The organisation could suffer:- Loss of income; Catalogue firm who cannot access orders data. Loss of business reputation; An insurance company not able to process claims from their customers Legal Action; Prosecution under DPA, Computer Misuse Act Consequences

ICT Security Policies Deliberate Threats Terrorism e,g Oklahoma bomber Oklahoma Federal Building on April 19th, 1995 destroyed federal records. Criminal vandalism/sabotage e.g. the deliberate destruction of network servers by putting on viruses. Theft of data by employees to sell to competitors White collar crime such as the deliberate altering of data in a database e,g, transferring funds from company accounts into private accounts.

ICT Security Policies Accidental Threats Floods and fire, e.g when the Buncefield oil terminal blew up it destroyed the company records in a nearby industrial estate Accidental altering of data e.g. by inexperienced employees deleting an order in a customer files Natural disasters such as the Tsunami destroyed population birth death bank records. How can we prevent against these?

ICT Security Policies Prevent accidental loss Accidental destruction of files due to fire, terrorism, floods Backup systems must be described keep back up files - offsite - and in fireproof containers use an online tape or disc streamer which automatically backs up data on a network use grandfather father son security system in batch processing systems. e.g. payroll RAID systems – mirror discs (Redundant Array of Inexpensive Disc) Accidental destruction of files due to human error etc. Validation and verification measures Prevent overwriting Level of access and rights make hard discs read only

ICT Security Policies How can we prevent deliberate threats? (which include)

ICT Security Policies Prevention of malicious damage Hacking unauthorised access Spreading of a computer crime Computer fraud Physical destruction by vandalism and terrorism

ICT Security Policies Hacking – unauthorised access Prevention Define security status and access rights for users All authorised users should be given user names and passwords. This will limit unauthorised access to the network. Hierarchy of Passwords IdentificationUser Name Authentification Password Authorisation What files you can see and what your allowed to do Restrict physical access to files e.g. smart cards to control entrance to rooms. Secured areas to hold servers

ICT Security Policies Prevention of malicious damage……Hacking Cont. Biometric scans; such as voice or hand prints; retina scans; Firewalls; a special environment set up to trap a hacker logging in over remote connections. It authenticates messages coming into the network and verifies the legitimacy of the user to enter the network. Proxy servers; This device tries to stop intruders from identifying the IP (Internet Protocol) address of a user workstation accessing the Internet.

ICT Security Policies Call Back procedures Some companies operate a dial-back system. A user logs on to a computer which immediately disconnects the line and dials the user back. This would stop a user logging on with someone else's password. Encryption Data transmitted over a network is coded before transmission. This means that anybody intercepting the transmitted data would not be able to understand it. The data needs to be de-coded by the proper recipient. Prevention of malicious damage……Hacking Cont.

ICT Security Policies Spreading a computer virus Prevention Don’t’ download unknown programs from the Internet attachments straight to hard disc. Only use reputable sources. Write protect media so can’t be written onto Don’t copy illegal software Use a virus scanning software and virus eradication program. Make sure this is kept up to date with the latest virus definitions – available from the Internet. Use diskless workstations on networks These are programs introduced into computer systems which destroy or alter files by rewriting over data or by copying themselves over and over again until computer system is full and cannot continue.

ICT Security Policies Computer fraud – white-collar crime Bogus data entry when entering data (fictitious bank customer) Bogus output -output may be destroyed to prevent discovery of fraudulent data entry or processing Alteration of files e.g. employee alters salary rate or hours worked Prevention or ‘White Collar’ computer crimes Monitor all programs and users actions should be monitored and logged. All users should be identifiable and all files capable of being audited keep online transaction logs Auditing procedures to detect fraud

ICT Security Policies ThreatConsequencePrevention TerrorismLoss of business and income Backups Criminal vandalism/sabotage/ Legal actionRestrict access White collar crimeLoss of reputationAudit trails Transaction logs Floods and fire,Loss of business and income Backups kept offsite Accidental altering of data Loss of business and income Validation Verification Read only / write protection Natural disastersLoss of business and income Online backups kept in different city

ICT Security Policies This document aims to reduce the risk from potential threats both Deliberate and Accidental. ICT Security Policy Document

ICT Security Policies A Security Policy is a formal document which sets down the rules, procedures and responsibilities associated with the protection of information systems; the hardware and software used to run them and the data they contain. This policy should be written by senior management who have strategic responsibility for the organisation ICT Security Policy Definition What factors should be taken into account when designing security policies?

ICT Security Policies The factors to take into account when designing security policies Physical security Prevention of misuse Availability of an alternative computer system and back up power supply Audit trails for detection Operational Procedures* Continuous investigation of irregularities System Access - establishing procedures for accessing data such as log on procedures, firewalls Disaster recovery planning and dealing with threats from viruses Personnel administration Staff code of conduct and responsibilities; staff training Policy and maintenance staff available. Disciplinary procedures.

ICT Security Policies *Operational Procedures Disciplinary procedures. Screening potential employees Routines for distributing updated virus information and virus scanning procedures Define procedures for downloading from the Internet, use of USB discs, personal backup procedures Establish security rights for updating web pages Establish a disaster recovery programme Set up auditing procedures (Audit trails) to detect misuse.

ICT Security Policies Example ICT Security Policy

ICT Security Policies All organisations should have a SECURITY POLICY The first step in creating such a policy is to find out what the RISKS are, and the possible effects upon the company. Known as Risk Analysis.

ICT Security Policies Factors determining how much a company spends to develop control, minimising risk by; Identifying potential risks Assessing the likelihood of risk occurring Short and Long term consequence of threat How well equipped the is the company to deal with threat Costs are not always financial;

ICT Security Policies 1. What to do before?  Do a ‘ risk analysis’ of potential threats –Identify potential risks –Likelihood of risk occurring –Short and long term consequences of threat –How well equipped is the company to deal with threat  Put preventive measures in place. –Establish physical protection system (firewalls etc.) –Establish security rights for file access and updating web pages –Establish a disaster recovery programme –Set up auditing procedures (Audit trails) to detect misuse  Staff training in operational procedures. –Screening potential employees –Routines for distributing updated virus information and virus scanning procedures –Define procedures for downloading from the Internet, use of USB drives, personal backup procedures –Define staff code of conduct for using computer systems e.g. no abusive s. No illicit use etc.

ICT Security Policies 2. What to do during?  What response should staff make when the disaster occurs? 3. What to do after? Implement recovery measures  Hardware can be replaced.  Software can be re-installed. (or de-bugged by the programming department).  The real problem is the data. No business can afford to lose its data.  Backups of all data should be regularly made. This means that the worst case scenario is that the business has to go back to the situation of the last backup and carry on from there. Backups may take a long time - often tape- streamed at night.  Alternative communication /computer systems may be arranged in case a network goes down or alternative power supply.

ICT Security Policies What methods or practices are available to an organisation who wish to protect their ICT systems? Many methods are available, some or all should be used by organisations who want to protect their valuable data. These methods are known as LAYERS of SECURITY (CONTROL)

ICT Security Policies Layers of Control Personnel screening Operational security Communications security Authorisation software Terminal use controls Building security Guards, Ids, Visitors passes, sign in/out IT SYSTEMS AND DATA Locks, swipe cards, biometric measures (e.g. fingerprint recognition) Access rights (e.g. no access, read-only, read-write) Automatic callback, encryption, hand-shaking procedures Audit trails, unusual patterns of use, virus checks, backup and recovery procedures Hiring policies, separation of duties, education and training, establishing standards of honesty Espionage, fraud and theft, threats, blackmail Errors in programming, input and output procedures, operations Natural disasters and accidents Invasions of privacy, virus introduction, malicious destruction of data

ICT Security Policies Layers of control  Building and equipment security – locks and window grills, guards, alarms and automatic fire extinguishers, Id cards, visitor’s pass  Authorisation software – user ids and passwords  Communications security – Databases vulnerable to outside hackers. Combat illegal access with callback, handshaking, encryption  Operational security – Audit controls track what happens on a network  Audit trail – record that traces a transaction  Personnel safeguards – users and computer personnel within an organisation are more likely to breach security than outsiders

ICT Security Policies Case Study; War on the Web Should we be more worried about terrorists using digital weapons rather than chemical and biological attacks? A cyber-terrorist attack on our “critical information structure” – the electronic systems vital for government, armed forces, business, finance, telecommunications, utilities, energy services – could paralyse the country and bring all these systems to a grinding halt. It is not hard to imagine that terrorist organisations are training and preparing hackers and virus writers around the world for large scale, co-ordinated assault that piles attack upon attack until systems fall over. It would be cheap and involve little risk of those involved ever being caught. What can organisations do to protect themselves from cyber- terrorists?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.