Security of Data
Issues of privacy <ul><li>Everyone has a right to privacy – the right not to have details about our lives to be held or ci...
Information systems depend on: <ul><li>Data integrity </li></ul><ul><ul><li>The  correctness  of the data.  Data held in a...
Increasing data integrity <ul><li>Standard clerical procedures may be documented and followed for both input and output. <...
Increasing data security <ul><li>Write-protecting disks </li></ul><ul><li>User IDs and passwords </li></ul><ul><li>Access ...
User Ids and passwords   <ul><li>Usually give access rights to systems </li></ul><ul><ul><li>Passwords must be at least 6 ...
Access Rights   <ul><li>In most systems it is not usually necessary for any individual user to have access to all data on ...
Counteracting Fraud <ul><li>Fraud, malicious damage, or theft of software or data, may be due to disgruntled employees. To...
Protection against viruses <ul><li>New software should be in tamper-proof packages </li></ul><ul><li>Disallow use of flopp...
Biometric measures <ul><li>Biometric methods do not depend upon passwords. They use biological features to identify users:...
Communications security <ul><li>Telecommunications systems are vulnerable to hackers </li></ul><ul><li>They use various me...
Disaster Planning <ul><li>If companies fail to plan for computer failure – through whatever cause – the consequences can b...
Backup strategies <ul><li>Periodic Backups - copy files regularly and keep them in a safe place </li></ul><ul><li>Weakness...
Backup strategies <ul><li>Simplest for small business </li></ul><ul><ul><li>Back-up entire hard disk at end of each day </...
Backup hardware <ul><li>Small quantities </li></ul><ul><ul><li>Removable disks such as Zip drives. Unit cost less than £10...
Backing-up on-line databases <ul><li>Database is being constantly updated. Back-up methods include: </li></ul><ul><ul><li>...
Factors in back-up strategy <ul><li>What to back up? </li></ul><ul><li>How often? </li></ul><ul><li>What medium to use? </...
Recovery procedures <ul><li>Keeping backups safe - b ackup copies need to be kept </li></ul><ul><ul><li>in a fireproof saf...
Recovery procedures <ul><li>Testing recovery procedures </li></ul><ul><ul><li>Effectiveness of backup procedures needs to ...
Upcoming SlideShare
Loading in …5
×

3e - Security Of Data

515 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

3e - Security Of Data

  1. 1. Security of Data
  2. 2. Issues of privacy <ul><li>Everyone has a right to privacy – the right not to have details about our lives to be held or circulated without our knowledge. </li></ul><ul><li>Data of a personal nature are regularly collected by numerous different organisations – for example: </li></ul><ul><ul><li>Employers hold personnel records that include data on: </li></ul></ul><ul><ul><ul><li>address, age, qualifications, salary, sick leave, dependents and so on; </li></ul></ul></ul><ul><ul><li>Stores hold details on: </li></ul></ul><ul><ul><ul><li>credit card payments, account history, items purchased; </li></ul></ul></ul><ul><ul><li>Banks hold details on: </li></ul></ul><ul><ul><ul><li>salary, income and withdrawals, direct debits to various organisations; </li></ul></ul></ul><ul><ul><li>Insurance companies hold details of: </li></ul></ul><ul><ul><ul><li>property, cars, accidents, claims and health. </li></ul></ul></ul>
  3. 3. Information systems depend on: <ul><li>Data integrity </li></ul><ul><ul><li>The correctness of the data. Data held in a computer system may become incorrect, corrupted or of ‘poor quality’ in many different ways and at many stages during data processing. </li></ul></ul><ul><ul><ul><li>Errors on input </li></ul></ul></ul><ul><ul><ul><li>Errors in operating procedure </li></ul></ul></ul><ul><ul><ul><li>Program errors </li></ul></ul></ul><ul><li>Data security </li></ul><ul><ul><li>The safety of the data. Data is vulnerable to: </li></ul></ul><ul><ul><ul><li>Theft </li></ul></ul></ul><ul><ul><ul><li>Accidental or malicious destruction </li></ul></ul></ul>
  4. 4. Increasing data integrity <ul><li>Standard clerical procedures may be documented and followed for both input and output. </li></ul><ul><li>Input </li></ul><ul><ul><li>Data entry must be limited to authorised personnel only </li></ul></ul><ul><ul><li>In large volume data entry, data may be verified (keyed in twice by different operators) to guard against keying errors </li></ul></ul><ul><ul><li>Data control totals must be used wherever possible to verify the completeness and accuracy of the data, and to guard against duplicate or illegal entry </li></ul></ul><ul><li>Output </li></ul><ul><ul><li>All output should be inspected for reasonableness and any inconsistencies investigated </li></ul></ul><ul><ul><li>Printed output containing sensitive information should be shredded after use </li></ul></ul>
  5. 5. Increasing data security <ul><li>Write-protecting disks </li></ul><ul><li>User IDs and passwords </li></ul><ul><li>Access rights </li></ul><ul><li>Counteracting fraud </li></ul><ul><li>Protecting against viruses </li></ul><ul><li>Communications security </li></ul><ul><li>Disaster planning </li></ul>
  6. 6. User Ids and passwords <ul><li>Usually give access rights to systems </li></ul><ul><ul><li>Passwords must be at least 6 characters </li></ul></ul><ul><ul><li>Password display must be automatically suppressed </li></ul></ul><ul><ul><li>Files containing passwords must be encypted </li></ul></ul><ul><ul><li>Passwords should be: </li></ul></ul><ul><ul><ul><li>Kept confidential </li></ul></ul></ul><ul><ul><ul><li>Not written down </li></ul></ul></ul><ul><ul><ul><li>Not be easily guessed words </li></ul></ul></ul><ul><ul><ul><li>Changed regularly – at least every 3 months </li></ul></ul></ul>
  7. 7. Access Rights <ul><li>In most systems it is not usually necessary for any individual user to have access to all data on a database </li></ul><ul><ul><li>Passwords will hold details of access modes </li></ul></ul><ul><ul><ul><li>Read-Only </li></ul></ul></ul><ul><ul><ul><li>Read/Write </li></ul></ul></ul><ul><ul><ul><li>No Access </li></ul></ul></ul><ul><ul><li>Data may only be accessible at certain times </li></ul></ul><ul><ul><li>This ensures that users will only have access to records that are allowed to see, and may only modify records if they are authorised to do so. </li></ul></ul>
  8. 8. Counteracting Fraud <ul><li>Fraud, malicious damage, or theft of software or data, may be due to disgruntled employees. To counteract this: </li></ul><ul><ul><li>Careful vetting of prospective employees </li></ul></ul><ul><ul><li>Immediate removal of staff who are sacked or resign – cancellation of their passwords </li></ul></ul><ul><ul><li>Separation of duties </li></ul></ul><ul><ul><li>Prevention of unauthorised access – cards, badges and locks </li></ul></ul><ul><ul><li>Passwords </li></ul></ul><ul><ul><li>Education of staff – challenge strangers, log off when not at terminal </li></ul></ul><ul><ul><li>Install security software and appoint staff to audit use of system </li></ul></ul>
  9. 9. Protection against viruses <ul><li>New software should be in tamper-proof packages </li></ul><ul><li>Disallow use of floppy diskettes to import/export software </li></ul><ul><li>Use anti-virus software to </li></ul><ul><ul><li>check all floppy disks before use </li></ul></ul><ul><ul><li>Scan emails before they are accepted </li></ul></ul><ul><ul><li>Disallow email attachments </li></ul></ul>
  10. 10. Biometric measures <ul><li>Biometric methods do not depend upon passwords. They use biological features to identify users: </li></ul><ul><ul><li>Fingerprint recognition </li></ul></ul><ul><ul><li>Voice recognition </li></ul></ul><ul><ul><li>Face recognition </li></ul></ul><ul><ul><li>Infra-red scans to examine pattern of blood vessels </li></ul></ul><ul><ul><li>Iris recognition technology </li></ul></ul>
  11. 11. Communications security <ul><li>Telecommunications systems are vulnerable to hackers </li></ul><ul><li>They use various methods to gain knowledge of user IDs and passwords. </li></ul><ul><ul><li>One method to combat this is to use a callback system. </li></ul></ul><ul><ul><ul><li>On receipt of call from remote user, host computer will automatically call back on a prearranged number to verify access authority before allowing log on. </li></ul></ul></ul><ul><ul><li>Data encryption can also be used to ‘scramble’ highly-sensitive data </li></ul></ul>
  12. 12. Disaster Planning <ul><li>If companies fail to plan for computer failure – through whatever cause – the consequences can be ruinous: </li></ul><ul><ul><li>Loss of business </li></ul></ul><ul><ul><li>Loss of credibility </li></ul></ul><ul><ul><li>Cashflow problems </li></ul></ul><ul><ul><li>Reduced service standards to customers </li></ul></ul><ul><ul><li>Loss of production </li></ul></ul><ul><li>Large companies have comprehensive plans, allowing them to be up and running within days of major catastrophes. Plans often managed by specialist firms </li></ul><ul><li>Smaller companies can survive with less sophisticated systems, but some backup system is vital </li></ul>
  13. 13. Backup strategies <ul><li>Periodic Backups - copy files regularly and keep them in a safe place </li></ul><ul><li>Weaknesses include: </li></ul><ul><ul><li>All updates to a file since last backup may be lost </li></ul></ul><ul><ul><li>System may need to be shut down </li></ul></ul><ul><ul><li>Can be extremely time-consuming </li></ul></ul><ul><ul><li>When failure occurs, recovery can be even more time-consuming </li></ul></ul><ul><li>A benefit is that files which have become fragmented can be reorganised to occupy contiguous space when restored – resulting in quicker access </li></ul><ul><li>Storage is crucial – fire-proof safe on-site plus a copy taken off-site. </li></ul>
  14. 14. Backup strategies <ul><li>Simplest for small business </li></ul><ul><ul><li>Back-up entire hard disk at end of each day </li></ul></ul><ul><li>Can consider just backing up data files and only copy software programs when they change </li></ul><ul><li>Alternatively, if huge quantities of data are involved, backup can be reduced by only backing up those files which have changed since the last back-up. This is known as an ‘incremental backup’. This requires special software. </li></ul>
  15. 15. Backup hardware <ul><li>Small quantities </li></ul><ul><ul><li>Removable disks such as Zip drives. Unit cost less than £100, and diskettes hold 250Mb. </li></ul></ul><ul><li>Larger quantities </li></ul><ul><ul><li>Magnetic tape is usually used. Low-cost drives can store large amounts of data (2 – 8 Gb) on very small cartridges. </li></ul></ul><ul><li>Rewriteable optical disk drive costs around £250 and holds about 650Mb </li></ul><ul><li>RAID (Redundant Array of Inexpensive Disks) </li></ul>
  16. 16. Backing-up on-line databases <ul><li>Database is being constantly updated. Back-up methods include: </li></ul><ul><ul><li>Transaction Logging </li></ul></ul><ul><ul><ul><li>Information about every transaction is recorded on a separate transaction file. </li></ul></ul></ul><ul><ul><ul><li>If systems fails, files can be restored and then updated from the transaction file to reflect the position immediately before the failure </li></ul></ul></ul><ul><ul><li>RAID (Redundant Array of Inexpensive Disks). This technology enables data to be written simultaneously to several disks. </li></ul></ul><ul><ul><ul><li>Three copies of a database may be held – two locally and one on a remote system. If one system fails, then data can still be used on either of the other two. </li></ul></ul></ul>
  17. 17. Factors in back-up strategy <ul><li>What to back up? </li></ul><ul><li>How often? </li></ul><ul><li>What medium to use? </li></ul><ul><li>Where to store the backups? </li></ul><ul><li>Who will do them? </li></ul>
  18. 18. Recovery procedures <ul><li>Keeping backups safe - b ackup copies need to be kept </li></ul><ul><ul><li>in a fireproof safe </li></ul></ul><ul><ul><li>preferably offsite </li></ul></ul><ul><li>How long should you keep backups for? A typical strategy is to: </li></ul><ul><ul><li>Keep the daily backups for a week; </li></ul></ul><ul><ul><li>Keep Friday’s backup for a month; </li></ul></ul><ul><ul><li>Keep one backup each month for a year; </li></ul></ul><ul><ul><li>To prevent mix-ups, give each tape or disk a serial number and keep a log book. </li></ul></ul>
  19. 19. Recovery procedures <ul><li>Testing recovery procedures </li></ul><ul><ul><li>Effectiveness of backup procedures needs to be tested on a regular basis </li></ul></ul><ul><ul><li>This will ensure that a business can recover from a disaster </li></ul></ul><ul><li>Additional contingency plan needs be developed to consider: </li></ul><ul><ul><li>Alternative compatible equipment and security facilities. </li></ul></ul><ul><ul><li>This may include temporary office space </li></ul></ul><ul><ul><li>Provision of alternative communications links. </li></ul></ul><ul><li>These facilities are usually insured against by most sensible companies. </li></ul>

×