AQA Information and Communication Technology/ICT4/Legal Aspects
Corporate Information Systems Security Policies
A corporate information systems (IS) security policy exists to protect the company from threat. This security policy should be part of the organisations strategic management. It is important to get it right as
- costs are involved in providing the security the company needs to protect itself
- users are sceptical of computer systems for security and are highly aware of the risks involved
People don't want to be involved in a company that is known to be insecure
IS security policies exist to
- secure systems against loss of availability, integrity or confidentiality
- prevent and detecting misuse, both against the relevant Acts and the company's internal policies
- investigate and deal with any misuse based on the procedures laid out in the policy
- limit and recover from damage
The three lines of defence in IS security are:
The corporate IS policy should include considerations to training and promoting awareness of general security to the end-users of the system, as that is where lapses in security are likely to happen.
They should be educated on matters such as downloading unknown executables from the Internet, or not using easy to guess, common passwords.
An audit is a survey taken by a company of its software and hardware. An audit exists to minimise errors of the company's resources database (often used for insurance purposes), to monitor efficiency of systems and to ensure that their software is complying with the appropriate licenses.
The results of an audit are used to increase the accuracy of the company hardware database, allowing for better support and capacity planning.
Many companies use external auditors to minimise the chance of internal fraud, but some companies do internal auditing for the sake of cost. An audit of financial records is required every year under law (for registered companies).
Audits may also cover the accuracy of systems, especially financial systems. There are three type of auditing techniques, where the auditor calculates by hand the expected output of a system and checks that it matches.
- Live data testing - where the auditor uses the actual data the system is figuring at this time. This has the disadvantage of being unable to check all possible data types.
- Historical data testing - in this situation, the auditor puts old data through the system again, so in addition to the manual checks the auditor can check the system agrees with itself both times.
- Dummy data testing - here, the auditor generates fake data that can test all eventualities
This kind of auditing has the problem of whilst the system is being made available to the auditor, it can not be used for its normal functions, and it only provides a snapshot of the system at that moment in time.
An audit trail is a log created by a system that shows what's been changed and who did what. (The Mediawiki has a great example of this, see the history page for this page, for example.)
Disaster Recovery Management
Threats to security and integrity
- Human error (mistakes in data entry, program errors, operator errors)
- Computer crime (Hacking, illegal modification of data, virii and logic bombs)
- Natural disasters (Fire, earthquake, hurricane, flood)
- War and terrorist activity (Bombs, fire)
- Hardware failure (power failure, disk head crash, network failure)
Building security tends to protect the premises against break-in, unauthorised visitors, etc.
Authorisation software involves user ID's and passwords. It forces a user to log in to access their computer and network, and can enforce "access rights", limiting rights to certain files and folders.
Communications security can use call back (when triggered, dials you, instead of you dialling in – confirms your identity), handshaking (a predetermined exchange between two computers, often following an algorithm) and encryption – altering text by a set algorithm only known by the two communicating systems.
Operational security involves using logs to show usage of the system and creating an audit trail.
Personnel security is necessary because personnel are often the most exploitable part of an IS. Basic user knowledge on security is required in order to prevent access using “social engineering”. Unmotivated employees may also become destructive to company data. By splitting the tasks in a transaction so multiple people are required to be involved, this reduces fraud.
This is part of the overall corporate ICT security policy, and is something which managers, rather than technical staff need to do. The risk analysis could include finding answers to questions such as:
- What is the nature of the data being stored in the system?
- How is the data used?
- Who has access to the system?
- How much money does the company stand to lose if the data is lost, corrupted or stolen?
Disaster (see natural disaster) planning generally only concerns the mission-critical aspects of the business, with less vital functions generally being too costly.
To guard against the failure of a business in a catastrophe, two “controls of last resort” can be put in place – insurance and a disaster recovery plan. Insurance is not a prevention method, but it does help to reduce the financial impact of loss.
A disaster recovery plan has to contain provision for backup facilities which can be used in the event of a disaster. Some possibilities are:
- A company owned backup facility, geographically diverse – sometimes known as a “cold standby” site.
- A reciprocal arrangement with another company that runs a compatible computer system.
- A subscription to a disaster recovery service.
How do you select an appropriate recovery plan? Various criteria are used:
- The scale of the organisation and its ICT systems
- The nature of the operation: an on-line system may need to be restored within a few hours, whereas a batch billing process could survive being offline for a few days.
- The relative costs of the different options: a company with several sites linked by telecoms may be able to formulate a DRP which temporarily moves operations to an alternate site.
- The perceived chance of disaster occurring. A company in Intake may need a plan to cope with theft, but not with earthquakes.
We've already touched on the legislature covering ICT in ICT1. For ICT4, you'll need to be able to recall the Data Protection Act, the Copyright, Designs and Patent Act, the Computer Misuse Act and the Health and Safety Act. When designing a corporate IS strategy, the company should ensure that it complies with the relevant legislature.