What you need to know •Why do we need to protect data on ICT systems? •What are the possible threats to an ICT system? •How can an ICT system be protected? •What legislation covers ICT systems?
Why do we need to protect data on ICT systems?Here are some key reasons why the data on an ICT system, and the system itselfmust be protected.•Privacy of data – your (and my) personal details might be held on the system•Monitoring of ICT users – what have you been up to? Who else knows?•Identity theft – your identity and money is at risk if you’re not careful•Threats to the system – is it wise to drink coffee next to a machine or let someonelog in as you?•Malpractice & crime – is someone doing something wrong or are they actuallybreaking the law?
What are the possible threats to an ICT system?Any threat to a system is dangerous. Some threats are more likely tohappen than others and the outcome can vary from mild annoyanceto complete loss of h/w, s/w and dataThe biggest threat to an ICT system is… the user of the systemOther threats include: •Natural hazards (earthquake, lightning etc) •Faulty h/w or s/w •Viruses/worms/trojans •Spyware •Spam •Hacking •Fire •Loss of power
Malpractice & CrimeBoth malpractice and crime are threats to a system. Malpractice meansdoing something that is wrong/improper or careless. A crime obviouslymeans something a bit more serious as you are breaking the lawExamples of malpractice •Not logging off when finished with the system •Using the system for unauthorised uses •Giving user ID & password to someone else •Not backing up your work Examples of crime •Hacking •Piracy •Spreading viruses •Theft of data •Destruction of data •Fraud
Threats to a system can be INTERNAL or EXTERNAL dependant on whetherthey are from within or from outside the organisation. Typically hackers willbe external unless they are an employee wanting to gain access to part of thesystem that they are not normally allowed to access.
How can an ICT system be protected?ICT systems can be protected in many simple ways•Train staff to use the systems correctly•Have an acceptable use policy (AUP) and documented procedures•Enforce user ID’s and passwords•Have access levels to restrict user access to data•Ensure the use of a strong password that is change regularly•Install, run and regularly update anti-virus software to detect and neutraliseviruses, spyware and other nasties•Encrypt data to ensure that those who steal it cannot use it•Install and use a firewall•Use biometrics to restrict access to systems
What legislation covers ICT systems?•Computer Misuse Act (1990)•Copyright, Designs & Patents Act (1988)•Regulation of Investigatory Powers Act (2000)•Data Protection Act (1998)Please note that the laws cannot protect the ICT systemor the data it holds but can allow for the perpetrators tobe prosecuted if they are apprehended
Computer Misuse Act (1990)Used as a deterrent to those who like to “explore” ICT systems, lookat data/information that they shouldn’t and possibly commit fraudand those who may alter or destroy data maybe by planting viruses.The Act has 3 sectionsSection 1 Unauthorised access Penalty max 2 years or a fine or bothSection 2 As section 1 + committing a further offence such as fraud Penalty max 5 years or a fine or bothSection 3 As section 1 + modifying data Penalty max 10 years or a fine or both
Copyright, Designs & Patents Act (1988)Allows original work by authors, artists, software companies, recordingartists etc to be protected against illegal copying for between 50 – 70 years.Copying s/w or music to distribute is illegal. Having possession ofequipment to copy files is illegal.Exceptions•If copying or performances are done for charity or royalties are collectedand paid to the author it is OK.•If you are copying to create a legal archive it is OK•Copying for academic research is OKTypically used by Trading Standards to prosecute traders at car bootsales, other markets and on eBay.Maximum sentence is 2 years and a fine of £50 000
Regulation of Investigatory Powers Act (2000)A newish piece of legislation that allows organisations to record andmonitor information about you.Makes legal telephone taps, interception of web traffic and emails, useof surveillance cameras, police ANPR systems etc, require you to handover encryption keys so your data can be read.When introduced it was called a snoopers charter as it allowed manyorganisations to monitor what you are up to.
Data Protection Act (1998)The only law that protects YOU!Has a number of principles that all companies must adhere to if they collectpersonal data (data from which a single living being can be identified) andhold it for more than 40 days in a ICT systemThere are a number of exceptions that allow data to be held without yourknowledge e.g. crime, national security etcDefinitions you need to know•Data subject•Data user•Data controller•Information commissioner•The 8 principles•Rights of a data subject•The main exceptions both full and partial