There are three core principles of data security: confidentiality, integrity, and availability. Confidentiality means that sensitive data should not be accessed by unauthorized individuals. Integrity refers to ensuring data is not modified without permission. Availability means information must be accessible on demand. Data security controls aim to protect data from threats like unauthorized access, alteration, and destruction. Common threats include malware, hacking, and data loss from system failures. Organizations implement measures like encryption, firewalls, and monitoring to prevent threats and ensure the security of their data and IT systems.
1. Security threats and
controls
There is need to protect data from theft because it used to
make decisions in everyday life. Wrongful storage of data can
lead to a number of evil activities if it reaches malicious people
2. Data security core principles
• The three core
principles of
data security
also referred to
as information
security are:
1. Confidentiality
2. Integrity and
3. Availability
MK
SOLUTIONS
2
Information
security
Confidentiality
integrity
Availability
3. Confidentiality
• This implies that sensitive data or information belonging to an
organization or government should not be accessed by or
disclosed to unauthorized people.
• Such data includes: office documents, chemical formula,
employee’s details, examinations etc.
MK
SOLUTIONS
3
Datasecuritycoreprinciples
4. Integrity
• Integrity refers to a situation where data should not be
modified without owner’s authority
4
Datasecuritycoreprinciples
MK
SOLUTIONS
5. Availability
• Information must be available on demand
• This translates to any information system and communication
link used to access it, must be efficient and functional. An
information system may be unavailable due to power outages,
hardware failures, unplanned upgrades or repairs
MK
SOLUTIONS
5
Datasecuritycoreprinciples
6. Security Threats and
Control Measures
Security threats of private or confidential data includes
unauthorized access, alteration, malicious destruction of hardware,
software, data or network resources as well as sabotage.
The main objective of data security control measures is to provide
security, ensure integrity and safety of an information system
hardware, software and data
7. Information System Failure
Causes of computerized system failure include
1. Hardware failure due to improper use
2. Unstable power supply as a result of brownout or blackout
and vandalism
3. Network breakdown
4. Natural disaster
5. Program failure
6. Computer virus attacks
MK
SOLUTIONS
7
8. Control measuresagainst hardwarefailure
• Computer systems should be protected from brownout or
blackout which may cause physical damage or data loss by
using surge protectors and UPS
• Most organizations use Fault Tolerant Systems
• A fault tolerant system has redundant or duplicate storage,
peripheral devices and software that provide a fail-over
capability to back up components in the event of system
failure
• Disaster recovery plans – involves establishing offsite
storage of an organization ‘s databases so that in case of
disaster or fire accidents, the company would have backup
copies to reconstruct lost data from.
MK
SOLUTIONS
8
9. Threats from malicious programs
• Malicious programs may affect the smooth running of a
system or carry out illegal activities such as, secretly collecting
information from an unknowing user. Some of the malicious
programs include:
1. Boot sector viruses
2. File viruses
3. Hoax viruses
4. Trojan Horse
5. Worms
6. Backdoors
MK
SOLUTIONS
9
10. Malicious Programs Insight
1. Boot Sector Viruses
•They destroy the
booting
information on
storage media
2. File Viruses
•Attach
themselves to
files
MK
SOLUTIONS
10
11. Malicious Programs Insight
3. Hoax Viruses
• Come themselves
as email with
attractive
messages and
launch themselves
when email is
opened
4. Trojan Horse
• They appear to
perform useful
functions but
instead they
perform other
undesirable
activities in the
background.
MK
SOLUTIONS
11
12. Malicious Programs Insight
5. Worms
• This is a malicious
program that self-
replicates hence
clogs the system
memory and storage
media
6. Backdoors
• May be a Trojan or a
Worm that allows
hidden access to a
computer system.
MK
SOLUTIONS
12
13. Control measures against theft
1. Employ security agents to keep watch over information
centers and restricted backup sites
2. Reinforce weak access points like the windows, door and
roofing with metallic grills and strong padlocks.
3. Motivate workers so that they feel a sense of belonging in
order to make them proud and trusted custodians of the
company resources.
4. Insure the hardware resources with a reputable insurance
firm.
5. Encrypt and create strong passwords for your data and
access to computers
MK
SOLUTIONS
13
14. Piracy
•Piracy is a form of intellectual
property theft which means illegal
copying of software, information or
data. Software, information and data
are protected by copyright and patent
laws
MK
SOLUTIONS
14
15. Control measures against piracy
• To reduce piracy:
1. Enforce laws that protect the owners of data
and information against piracy
2. Make software cheap enough to increase
affordability
3. User licenses and certificates to identify
original software
4. Set installation passwords that deter illegal
installations of software
MK
SOLUTIONS
15
16. Fraud
• Fraud is a deception deliberately practiced in order to
secure unfair or unlawful gain
• Computer fraud is defined as any act using computers,
the Internet, Internet devices, and Internet services to
defraud people, companies, or government agencies of
money, revenue, or Internet access. There are many
methods used to perform these illegal activities.
Phishing, social engineering, viruses, and DDoS attacks
are fairly well known tactics used to disrupt service or
gain access to another's funds.
MK
SOLUTIONS
16
17. Sabotage
•Refers to illegal destruction of
data and information with the
aim of crippling service
delivery or causing great loss
to an organization.
MK
SOLUTIONS
17
18. Threats to piracy and confidentiality
• Privacy means that data or information
belonging to an individual should not be
accessed by or disclosed to other people. Its an
individual’s right to determine for themselves
what should be communicated to others
• Confidentiality – is the sensitive data or
information belonging to an organization or
government. Should therefore not to be
accessed by or disclosed by unauthorized people
MK
SOLUTIONS
18
22. Computercrimesrelatedtodataprivacyandsecurity
MK
SOLUTIONS
22
4) Hacking and Cracking
•Hacking is the process of gaining
unauthorized access into a system just
for fun and the person who hacks is
called a hacker.
•Cracking is the process of gaining
unauthorized access into a system for
malicious reasons
25. ControlMeasuresAgainstUnauthorizedAccess
MK
SOLUTIONS
25
A. Firewall
•A firewall is a device or a software system that
filters the data and information exchanged
between different networks by enforcing the
host networks access control policy.
•The main aim of a firewall is to monitor and
control access to or from protected networks
•People who do not have permission cannot
access the network and those within cannot
access firewall restricted sites outside their
networks
26. ControlMeasuresAgainstUnauthorizedAccess
MK
SOLUTIONS
26
B. Data Encryption
•This is the process of mixing up data so that only the
sender and the receiver can understand with use of an
encryption key.
•The translation of data into a secret code. Encryption is
the most effective way to achieve data security. To read
an encrypted file, you must have access to a secret key or
password that enables you to decrypt it. Unencrypted
data is called plain text ; encrypted data is referred to as
cipher text.
There are two main types of encryption: asymmetric
encryption (also called public-key encryption) and
symmetric encryption.
27. ControlMeasuresAgainstUnauthorizedAccess
MK
SOLUTIONS
27
C. Security Monitors
•The are programs that monitor and keep a log file or
record of computer systems and protect them from
unauthorized access. E.g.
•Biometric Security
This type of security takes the user’s attributes such as
voice, fingerprints and facial recognition.
•Other access Controls measures Include:-
Enhancing a multilevel authentication policies such as
assigning users log on accounts, use of smart cards
and personal identification number (PIN)
28. Policiesandlawsgoverninginformationsecurity
Introduction
• Laws, regulations and policies enacted are meant to regulate
and govern data processing and information security. Laws can
either exist as international laws enacted by ISO- International
Standardization Organization an ISF- Information Security
Forum
• These are non-profit making organizations who also offer
research on best practices
• There are also locally enacted laws to control the IT sector by
Parliament and policies made by the ministry of Information
and Technology
• Examples of laws that exist include:
MK
SOLUTIONS
28
29. Policiesandlawsgoverninginformationsecurity
ICT related acts in Kenya
• The science and Technology Act
• Cap. 250 of 1977
• The Kenya Broadcasting Corporation Act of
1988
• The Kenya Communications Act of 1998
However these laws are not adequate to
address the current issues of IT and ICT
MK
SOLUTIONS
29
30. Policiesandlawsgoverninginformationsecurity
Kenya ICT Policy
•The government has put in place the
ICT policy that seeks to address issues
of privacy, e-security, ICT registration,
cyber crimes, ethical and moral
conduct, copyrights, intellectual
property rights and privacy
MK
SOLUTIONS
30
31. Policiesandlawsgoverninginformationsecurity
United Kingdom Data Protection Act
1998
•This act protects an individual privacy.
The act states that no processing of
information relating to individuals,
including the obtaining, holding, use
or disclosure of such information can
be done without owner’s consent.
MK
SOLUTIONS
31
32. Policiesandlawsgoverninginformationsecurity
United Kingdom Computer Misuse Act
1990
• This act makes computer crimes such as
hacking a criminal offence. The act has
become a model of many other countries
including Kenya, which they have used to
draft their own information security
regulations.
MK
SOLUTIONS
32
33. Policiesandlawsgoverninginformationsecurity
Family Educational Rights and Privacy Act (USA)
• This law protects the privacy of srudent’s
education records. To release any information
from a student’s education record.
Security Breach Notification Laws
• Most countries require businesses, nonprofit,
and state institutions, to notify consumers when
encrypted ‘personal information’ is
compromised, lost, or stolen.
MK
SOLUTIONS
33
34. Policiesandlawsgoverninginformationsecurity
Copyright and Software Protection Laws
• Hardware and Software are protected by either national or
international Copyright, designs and patents laws or Acts.
• These laws seek to address:
i. Data should not be disclosed to other people without the
owner’s permission
ii. Data and information should be kept secured against loss or
exposure
iii. Data and information should not be kept longer than
necessary
iv. Data and information should be accurate and up to date
v. Data and information should be collected, used and kept for
specified lawful purposes.
MK
SOLUTIONS
34
35. ReviewQuestions
1. Differentiate between private and confidential data
2. Why is information a useful resource?
3. Explain any three threats to data and information
4. Give two control measures you would take to avoid
unauthorized access to data and information
5. Explain the meaning of industrial espinionage
6. Differentiate between hacking and cracking with reference
to computer crimes
7. What reasons may lead to computer fraud?
8. Explain the term ‘information security’
9. Why would data and information on an externally linked
network not be said to be secure even after burglar proofing
a room?
MK
SOLUTIONS
35
36. ReviewQuestions
10) How can piracy be prevented in regard to data and
information?
11) Define a computer virus
12) Give four general rules that must be observed to keep
within the law when working with data and information
13) Explain two types of computer viruses
14) What is a program patch? Why are patches important?
15) Explain measures you would take to protect computers from
virus attacks
16) What is data alteration? Explain its effect an data
17) How can you control errors related to data and information?
MK
SOLUTIONS
36
37. ReviewQuestions
18) Data and information security has recently become very
important. Explain why?
19) Explain eavesdropping with reference to computer crimes
20) Why use copyright laws for software data and information
necessary?
MK
SOLUTIONS
37