Presentation is loading. Please wait.

Presentation is loading. Please wait.

Welcome to the ICT Department Unit 3_5 Security Policies.

Similar presentations


Presentation on theme: "Welcome to the ICT Department Unit 3_5 Security Policies."— Presentation transcript:

1 Welcome to the ICT Department Unit 3_5 Security Policies

2 What are we going to cover? The corporate security policy Risk analysis Handling risk Audit

3 What are we going to cover? Security Policy Risk Analysis Handling risks Legal requirements Audit

4 The corporate security policy Must be got right because of cost and user confidence. We have a security policy in order to: Prevent misuse (integrity, loss, privacy) Detection Investigation Procedures Responsibilities Disciplinary procedures Damage limitation Recovery

5 The corporate security policy The security policy must contain: Awareness / education Administrative controls Operational controls Physical protection Access controls to systems Disaster recovery plan

6 The corporate security policy In other words: Prevention Detection Recovery

7 Threat detection What are the threats to security? ACCIDENTS PhysicalLogical Hardware failure, network or power failures Human error “Acts of God”Bugs Configuration faults DELIBERATE PhysicalLogical Theft or damageFraud SabotageViruses and their kin Hackers Piracy

8 Performing a risk analysis The risk must be assessed. Can be conducted by: Looking at past records How much it will cost the company if… High / medium / low Here’s one to look at…..clickclick

9 Performing a risk analysis Consequences include: Interruption of processing Destruction of storage media Disclosure of sensitive information Delayed deliveries Loss of customer goodwill Bad information Corruption of records Slow network Theft of hardware or software Loss of production Loss of money Penalties from authorities Loss of competitive position System failure Business failure

10 Performing a risk analysis Consequences of disaster can include: Interruption of processing Destruction of storage media Disclosure of sensitive information Delayed deliveries Loss of customer goodwill Bad information Corruption of records Slow network Theft of hardware or software Loss of production Loss of money Penalties from authorities Loss of competitive position System failure Business failure

11 Contingency Plan Objectives Limit financial losses Minimise the extent of interruption Define service alternatives Controlled emergency recovery Regain total processing capability Training

12 Avoiding Disaster How do we avoid the disaster in the first place? Tighten Operational Standards Rationalise practises Making sure that hard and software is compatible and therefore transferable Data is inputted – processed – outputted to the right people at the right time Disaster recovery plans Identify users and their roles Identify areas of vulnerability

13 Contingency Plan Criteria used to select a plan Scale of the organisation Nature of the operation Relative costs Likelihood

14 Legislation You must be familiar with the legislation and its purpose before you go any further. Confidentiality and privacy (The DPA) Copyright and software protection (The Copyright and Patents Act Health and Safety (Doh!) ICT and crime (The Computer Misuse Act)

15 DPA Be able to recite the 8 principles Learn exceptions and offences Give as many examples of breaches and how you would prevent them. Relate them to data being held e.g. Putting terminals in non-public places Shredding documents Liability insurance Cost of registration

16 The Computer Misuse Act You must be able to recite the three levels. And have an idea of penalties. Give as many examples of breaches as you can and how you would try and prevent them. Use examples directly related to misuse e.g. Strong rules / codes of practice / procedures (what happens if inappropriate material is downloaded) Staff Training (no excuses) Constant checking Whistle – blowing procedures

17 The Copyright and Patents Act Give as many examples of breaches as you can and how you would try and prevent them. Use examples directly related to this act e.g. Prevention of installing any software Make employees aware of consequences Copyright of software developed on site is held by company (usually) Regular checks of stations Lock down floppies / CD drives etc

18 The Security Policy Remember. You are being tested not only on the prevention, but on the procedures, policies and guidelines that contain the who, where, when and how!

19 Disaster recovery plan Must minimise loss by ensuring safety, minimising damage and enabling recovery to work. Then to minimise the consequent effects. The plan should include: Step by step documentation A list of all critical resources A method for securing all necessary resources What hardware and software are essential Training Providing redundant servers etc Regular drills

20 Audits What is an audit? Essentially it’s a check or survey made by the company (or consultant) to see that all of the hardware and software that the company says its purchased is present and to check that there is no other hard or software present that has not been listed.

21 Audits Why audit? Identify errors or breaches of policy To monitor efficiency Legal requirement Allows better planning Allows standardisation Insurance assessment

22 Audits What are you checking? Software licenses Reconcile records (of hard and software) Data integrity (Which ones stop which security breaches?)

23 Audits How do they check data? Make sure all entries are correct No duplicates Additions (all calculations) are correct Documentation exists


Download ppt "Welcome to the ICT Department Unit 3_5 Security Policies."

Similar presentations


Ads by Google