HIGHER INFORMATION SYSTEMS

Security Strategy

Security StrategyYou will need to be able to explain:

Data Security Data Integrity and Data Privacy Risks

Hacking Denial of Service DOS

Policies & Procedures Password Guidelines Virus Protection

Prevention Detection Repair

Firewall Encryption Access Rights

Security Strategy

Data Security

Physical Loss – fire or floodElectronic problems – faulty hardware or magnetic influences.Theft – by a competitor.Malicious access, deletion or virus attack.

Security Strategy

Data Integrity

Is the data correct?When it is entered double entry can be used.Call centres ask customer to spell names and details are read back.Transmission errors can cause data errors.Viruses, hardware breakdown, viruses or computer crime can cause problems.

Security Strategy

Data Privacy

This is personal or sensitive data.Is the data safe from unauthorised people?In school we have passwords and user logons so that no one else can access your files.People within school have different levels of access, this means data can be kept more secure. E.g. Guidance have access to personal information but teachers do not.

Security Strategy

Summary

The network manager keeps the data secure. (Fire, flood, electronic outages).

Integrity is how correct data is when it is first entered.

Privacy is not letting other users into your personal or sensitive data.

Security Strategy

The Risks

Virus – malicious code.Designed to spread to other computers automatically.Transmitted via an e-mail attachment, downloaded or something else.Can lie dormant for some time and can be very harmful.

Security Strategy

The Risks

Hacking – Breaking into a computer system from outside the network. Breaking in is an offence but not a bad as maliciously altering or stealing information.

Security Strategy

The Risks

Denial of Service Attack (DOS Attack)– Flooding a server with surprisingly large amounts of requests for information. The server is overloaded and it ends up crashing.

Security StrategyPolicies and Procedures

Code of Conduct – set of rules that users must follow. Employees have to sign a code of conduct. Usually common sense and for the employee's protection to stop them breaking the law.

The British Computer Society has a Code of Ethics which includes professional conduct, professional integrity, public interest, fidelity (trustworthiness), technical competence.

Security StrategyPassword Guidelines

A strong password is one that no one else can guess and would be made up entirely of random numbers and letters (lowercase and uppercase). Users tend to choose poor passwords. The rules are:• Minimum of 8 characters• Letters and numbers and symbols• No words• Not the same as a previous password• Cannot be easily guessedhttp://

www.passwordmeter.com/

Security StrategyVirus protection

Computer systems are susceptible to viruses and must be protected by:

Not allowing floppy disks.Not open suspicious emails and use filtering software to intercept the virus.Install anti-virus software that can Prevent,detect, or repair the infected file.Stops key loggers.

Security StrategyFirewall

A firewall was originally constructed to stop fire spreading throughout a house. It could be constructed between the house and the garage.

This metaphor has been borrowed by the computing industry to name the software/hardware that acts as a barrier between computers on a network. Without it intruders could destroy, tamper with or gain access the files on your computer.

Note: it is anti-virus software that stops viruses!

Security StrategyFirewall

A firewall can be hardware or software that has filters to constantly monitor for unauthorised access to an network.It is placed between a file server and the internet connection.It also:Checks and filters external messagesBlocks access to certain workstations/servers from an external computer.Only grants access to authorised users.

Extra notes: http://www.vicomsoft.com/knowledge/reference/firewalls1.html#2

Security StrategyEncryption

Encryption techniques are used to pass sensitive data across the internet. The most obvious place you will see this is if you use your credit card to buy goods on the internet. If the packets of data are intercepted they cannot be read because they have been scrambled using 32 bit or 64 bit encryption.The message can only be read by the person receiving it, who holds the correct key to decipher it.

Security StrategyEncryption

In an exam you may be asked to explain how encryption works. This is public and private key encryption.

1. Bob encrypts the message with Alice’s Public Key. 2. The encrypted message is sent and cannot be read

by unauthorised users. 3. Alice decrypts the message with her private key, no

one else knows what this key is.

Security StrategyAccess Rights

Access rights are:ReadWriteCreateEraseModify

These right can be granted or revoked by the owner of the files or by the administrator. If a file is read only you cannot write, erase or modify it in any way.You would normally give these access rights in groupings e.g. read, write, create, modify.

Security StrategyAccess Rights

Access rights can specifically set for the following:

•Whether you have administrator rights•The amount of disk space allocated•Printers (printer credits)•E-mail•Internet•Folders•Applications

Security StrategyYou have learned about:

•Data Security •Data Integrity and •Data Privacy•Risks

HackingDenial of Service DOS

•Policies & Procedures•Password Guidelines•Virus Protection

Prevention Detection Repair

•Firewall•Encryption•Access Rights

Question2008 Q17 Lachlan is preparing for an interview for the job of

network security manager at First Place Ltd. The company has 4 warehouses supplying 40 branches throughout the country. As stock control system is used to manage daily supplies to each branch. As part of the interview he will be asked about a security strategy for the company’s organisational information system.

(a)State five areas concerning security strategies that Lachlan should be prepared to discuss in his interview.

(5)

Question2009 Section 2

Q17. Setting up a username and password is one task involved in the creation of a network account.

State three other settings associated with a network account. 3

2011 Q18 A company holds confidential personal data about its

customers (a) Explain the difference between security and privacy as

applied to data held in a computerised information system 2

(b) (i) Evaluate the suitability of these passwords:scotland tom100695 Hs%2

3(ii) Apart from passwords, describe two data security

measures that should be introduced as part of the security strategy. 4