There are three core principles of data security: confidentiality, integrity, and availability. Confidentiality means that sensitive data should not be accessed by unauthorized individuals. Integrity refers to ensuring data is not modified without permission. Availability means information must be accessible on demand. Data security controls aim to protect data from threats like unauthorized access, alteration, and destruction. Common threats include malware, hacking, and data loss from system failures. Organizations implement measures like encryption, firewalls, and monitoring to prevent threats and ensure the security of their data and IT systems.

1. Security threats and
controls
There is need to protect data from theft because it used to
make decisions in everyday life. Wrongful storage of data can
lead to a number of evil activities if it reaches malicious people

2. Data security core principles
• The three core
principles of
data security
also referred to
as information
security are:
1. Confidentiality
2. Integrity and
3. Availability
MK
SOLUTIONS
2
Information
security
Confidentiality
integrity
Availability

3. Confidentiality
• This implies that sensitive data or information belonging to an
organization or government should not be accessed by or
disclosed to unauthorized people.
• Such data includes: office documents, chemical formula,
employee’s details, examinations etc.
MK
SOLUTIONS
3
Datasecuritycoreprinciples

4. Integrity
• Integrity refers to a situation where data should not be
modified without owner’s authority
4
Datasecuritycoreprinciples
MK
SOLUTIONS

5. Availability
• Information must be available on demand
• This translates to any information system and communication
link used to access it, must be efficient and functional. An
information system may be unavailable due to power outages,
hardware failures, unplanned upgrades or repairs
MK
SOLUTIONS
5
Datasecuritycoreprinciples

6. Security Threats and
Control Measures
Security threats of private or confidential data includes
unauthorized access, alteration, malicious destruction of hardware,
software, data or network resources as well as sabotage.
The main objective of data security control measures is to provide
security, ensure integrity and safety of an information system
hardware, software and data

7. Information System Failure
Causes of computerized system failure include
1. Hardware failure due to improper use
2. Unstable power supply as a result of brownout or blackout
and vandalism
3. Network breakdown
4. Natural disaster
5. Program failure
6. Computer virus attacks
MK
SOLUTIONS
7

8. Control measuresagainst hardwarefailure
• Computer systems should be protected from brownout or
blackout which may cause physical damage or data loss by
using surge protectors and UPS
• Most organizations use Fault Tolerant Systems
• A fault tolerant system has redundant or duplicate storage,
peripheral devices and software that provide a fail-over
capability to back up components in the event of system
failure
• Disaster recovery plans – involves establishing offsite
storage of an organization ‘s databases so that in case of
disaster or fire accidents, the company would have backup
copies to reconstruct lost data from.
MK
SOLUTIONS
8

9. Threats from malicious programs
• Malicious programs may affect the smooth running of a
system or carry out illegal activities such as, secretly collecting
information from an unknowing user. Some of the malicious
programs include:
1. Boot sector viruses
2. File viruses
3. Hoax viruses
4. Trojan Horse
5. Worms
6. Backdoors
MK
SOLUTIONS
9

10. Malicious Programs Insight
1. Boot Sector Viruses
•They destroy the
booting
information on
storage media
2. File Viruses
•Attach
themselves to
files
MK
SOLUTIONS
10

11. Malicious Programs Insight
3. Hoax Viruses
• Come themselves
as email with
attractive
messages and
launch themselves
when email is
opened
4. Trojan Horse
• They appear to
perform useful
functions but
instead they
perform other
undesirable
activities in the
background.
MK
SOLUTIONS
11

12. Malicious Programs Insight
5. Worms
• This is a malicious
program that self-
replicates hence
clogs the system
memory and storage
media
6. Backdoors
• May be a Trojan or a
Worm that allows
hidden access to a
computer system.
MK
SOLUTIONS
12

13. Control measures against theft
1. Employ security agents to keep watch over information
centers and restricted backup sites
2. Reinforce weak access points like the windows, door and
roofing with metallic grills and strong padlocks.
3. Motivate workers so that they feel a sense of belonging in
order to make them proud and trusted custodians of the
company resources.
4. Insure the hardware resources with a reputable insurance
firm.
5. Encrypt and create strong passwords for your data and
access to computers
MK
SOLUTIONS
13

14. Piracy
•Piracy is a form of intellectual
property theft which means illegal
copying of software, information or
data. Software, information and data
are protected by copyright and patent
laws
MK
SOLUTIONS
14

15. Control measures against piracy
• To reduce piracy:
1. Enforce laws that protect the owners of data
and information against piracy
2. Make software cheap enough to increase
affordability
3. User licenses and certificates to identify
original software
4. Set installation passwords that deter illegal
installations of software
MK
SOLUTIONS
15

16. Fraud
• Fraud is a deception deliberately practiced in order to
secure unfair or unlawful gain
• Computer fraud is defined as any act using computers,
the Internet, Internet devices, and Internet services to
defraud people, companies, or government agencies of
money, revenue, or Internet access. There are many
methods used to perform these illegal activities.
Phishing, social engineering, viruses, and DDoS attacks
are fairly well known tactics used to disrupt service or
gain access to another's funds.
MK
SOLUTIONS
16

17. Sabotage
•Refers to illegal destruction of
data and information with the
aim of crippling service
delivery or causing great loss
to an organization.
MK
SOLUTIONS
17

18. Threats to piracy and confidentiality
• Privacy means that data or information
belonging to an individual should not be
accessed by or disclosed to other people. Its an
individual’s right to determine for themselves
what should be communicated to others
• Confidentiality – is the sensitive data or
information belonging to an organization or
government. Should therefore not to be
accessed by or disclosed by unauthorized people
MK
SOLUTIONS
18

19. Computercrimesrelatedtodataprivacyandsecurity
MK
SOLUTIONS
19
1. Eavesdropping
This refers to tapping into
communication channels to get
information.
Hackers use eavesdropping to access
private or confidential information
from internet users or from poorly
secured information systems

20. Computercrimesrelatedtodataprivacyandsecurity
MK
SOLUTIONS
20
2. Surveillance (monitoring)
This is the monitoring of computer
systems and networks using
background programs such as
spyware, malware and cookies

21. Computercrimesrelatedtodataprivacyandsecurity
MK
SOLUTIONS
21
3) Industrial Espionage
This involves spying on a
competitor to get information that
can be used to cripple the
competitor

22. Computercrimesrelatedtodataprivacyandsecurity
MK
SOLUTIONS
22
4) Hacking and Cracking
•Hacking is the process of gaining
unauthorized access into a system just
for fun and the person who hacks is
called a hacker.
•Cracking is the process of gaining
unauthorized access into a system for
malicious reasons

23. Computercrimesrelatedtodataprivacyandsecurity
MK
SOLUTIONS
23
5) Alteration
•Alteration is the illegal
modification of private or
confidential data and information
with the aim of misinforming
users.

24. ControlMeasuresAgainstUnauthorizedAccess
MK
SOLUTIONS
24
Introduction
•To safeguard information, a
number of security measures
should be put in place. This
include:

25. ControlMeasuresAgainstUnauthorizedAccess
MK
SOLUTIONS
25
A. Firewall
•A firewall is a device or a software system that
filters the data and information exchanged
between different networks by enforcing the
host networks access control policy.
•The main aim of a firewall is to monitor and
control access to or from protected networks
•People who do not have permission cannot
access the network and those within cannot
access firewall restricted sites outside their
networks

26. ControlMeasuresAgainstUnauthorizedAccess
MK
SOLUTIONS
26
B. Data Encryption
•This is the process of mixing up data so that only the
sender and the receiver can understand with use of an
encryption key.
•The translation of data into a secret code. Encryption is
the most effective way to achieve data security. To read
an encrypted file, you must have access to a secret key or
password that enables you to decrypt it. Unencrypted
data is called plain text ; encrypted data is referred to as
cipher text.
There are two main types of encryption: asymmetric
encryption (also called public-key encryption) and
symmetric encryption.

27. ControlMeasuresAgainstUnauthorizedAccess
MK
SOLUTIONS
27
C. Security Monitors
•The are programs that monitor and keep a log file or
record of computer systems and protect them from
unauthorized access. E.g.
•Biometric Security
This type of security takes the user’s attributes such as
voice, fingerprints and facial recognition.
•Other access Controls measures Include:-
 Enhancing a multilevel authentication policies such as
assigning users log on accounts, use of smart cards
and personal identification number (PIN)

28. Policiesandlawsgoverninginformationsecurity
Introduction
• Laws, regulations and policies enacted are meant to regulate
and govern data processing and information security. Laws can
either exist as international laws enacted by ISO- International
Standardization Organization an ISF- Information Security
Forum
• These are non-profit making organizations who also offer
research on best practices
• There are also locally enacted laws to control the IT sector by
Parliament and policies made by the ministry of Information
and Technology
• Examples of laws that exist include:
MK
SOLUTIONS
28

29. Policiesandlawsgoverninginformationsecurity
ICT related acts in Kenya
• The science and Technology Act
• Cap. 250 of 1977
• The Kenya Broadcasting Corporation Act of
1988
• The Kenya Communications Act of 1998
However these laws are not adequate to
address the current issues of IT and ICT
MK
SOLUTIONS
29

30. Policiesandlawsgoverninginformationsecurity
Kenya ICT Policy
•The government has put in place the
ICT policy that seeks to address issues
of privacy, e-security, ICT registration,
cyber crimes, ethical and moral
conduct, copyrights, intellectual
property rights and privacy
MK
SOLUTIONS
30

31. Policiesandlawsgoverninginformationsecurity
United Kingdom Data Protection Act
1998
•This act protects an individual privacy.
The act states that no processing of
information relating to individuals,
including the obtaining, holding, use
or disclosure of such information can
be done without owner’s consent.
MK
SOLUTIONS
31

32. Policiesandlawsgoverninginformationsecurity
United Kingdom Computer Misuse Act
1990
• This act makes computer crimes such as
hacking a criminal offence. The act has
become a model of many other countries
including Kenya, which they have used to
draft their own information security
regulations.
MK
SOLUTIONS
32

33. Policiesandlawsgoverninginformationsecurity
Family Educational Rights and Privacy Act (USA)
• This law protects the privacy of srudent’s
education records. To release any information
from a student’s education record.
Security Breach Notification Laws
• Most countries require businesses, nonprofit,
and state institutions, to notify consumers when
encrypted ‘personal information’ is
compromised, lost, or stolen.
MK
SOLUTIONS
33

34. Policiesandlawsgoverninginformationsecurity
Copyright and Software Protection Laws
• Hardware and Software are protected by either national or
international Copyright, designs and patents laws or Acts.
• These laws seek to address:
i. Data should not be disclosed to other people without the
owner’s permission
ii. Data and information should be kept secured against loss or
exposure
iii. Data and information should not be kept longer than
necessary
iv. Data and information should be accurate and up to date
v. Data and information should be collected, used and kept for
specified lawful purposes.
MK
SOLUTIONS
34

35. ReviewQuestions
1. Differentiate between private and confidential data
2. Why is information a useful resource?
3. Explain any three threats to data and information
4. Give two control measures you would take to avoid
unauthorized access to data and information
5. Explain the meaning of industrial espinionage
6. Differentiate between hacking and cracking with reference
to computer crimes
7. What reasons may lead to computer fraud?
8. Explain the term ‘information security’
9. Why would data and information on an externally linked
network not be said to be secure even after burglar proofing
a room?
MK
SOLUTIONS
35

36. ReviewQuestions
10) How can piracy be prevented in regard to data and
information?
11) Define a computer virus
12) Give four general rules that must be observed to keep
within the law when working with data and information
13) Explain two types of computer viruses
14) What is a program patch? Why are patches important?
15) Explain measures you would take to protect computers from
virus attacks
16) What is data alteration? Explain its effect an data
17) How can you control errors related to data and information?
MK
SOLUTIONS
36

37. ReviewQuestions
18) Data and information security has recently become very
important. Explain why?
19) Explain eavesdropping with reference to computer crimes
20) Why use copyright laws for software data and information
necessary?
MK
SOLUTIONS
37