Presentation is loading. Please wait.

Presentation is loading. Please wait.

ICT Security Policies Security Policies What is Security?What is a policy? The aims or plan of action of a person or group. School OED Precaution against.

Published byLewis Underwood Modified over 8 years ago

Similar presentations

Presentation on theme: "ICT Security Policies Security Policies What is Security?What is a policy? The aims or plan of action of a person or group. School OED Precaution against."— Presentation transcript:

1 ICT Security Policies Security Policies What is Security?What is a policy? The aims or plan of action of a person or group. School OED Precaution against theft. School OED Keeping something safe and secure. What do we need to apply policies to?

2 ICT Security Policies ICT Systems What are the main features of an ICT system in a business?

3 ICT Security Policies ICT systems in a business consist of: Hardware (Computers, monitors, peripherals) Software (Operating systems, applications) Data ( The information the company needs in order to work ie customer orders) Data Storage (Hard drives, CD, DVD, flash memory) Communication (Networking, Intranet, Internet) People who use them (Key to disk operators, managers) What are the threats to data and systems?

4 ICT Security Policies Threats to data Deliberate Terrorism Criminal vandalism/sabotage White collar crime (Theft) Accidental Floods and fire, Accidental altering of data Natural disasters

5 ICT Security Policies Companies must Ensure data, hardware and software is not lost or damaged. Restore communication systems as quickly as possible in the event of a problem. What are the possible consequence of these threats becoming a reality?

6 ICT Security Policies Any of the threats previously mentioned could result in the loss of systems and data; leaving the organisation unable to function. The organisation could suffer:- Loss of income; Catalogue firm who cannot access orders data. Loss of business reputation; An insurance company not able to process claims from their customers Legal Action; Prosecution under DPA, Computer Misuse Act Consequences

7 ICT Security Policies Deliberate Threats Terrorism e,g Oklahoma bomber Oklahoma Federal Building on April 19th, 1995 destroyed federal records. Criminal vandalism/sabotage e.g. the deliberate destruction of network servers by putting on viruses. Theft of data by employees to sell to competitors White collar crime such as the deliberate altering of data in a database e,g, transferring funds from company accounts into private accounts.

8 ICT Security Policies Accidental Threats Floods and fire, e.g when the Buncefield oil terminal blew up it destroyed the company records in a nearby industrial estate Accidental altering of data e.g. by inexperienced employees deleting an order in a customer files Natural disasters such as the Tsunami destroyed population birth death bank records. How can we prevent against these?

9 ICT Security Policies Prevent accidental loss Accidental destruction of files due to fire, terrorism, floods Backup systems must be described keep back up files - offsite - and in fireproof containers use an online tape or disc streamer which automatically backs up data on a network use grandfather father son security system in batch processing systems. e.g. payroll RAID systems – mirror discs (Redundant Array of Inexpensive Disc) Accidental destruction of files due to human error etc. Validation and verification measures Prevent overwriting Level of access and rights make hard discs read only

10 ICT Security Policies How can we prevent deliberate threats? (which include)

11 ICT Security Policies Prevention of malicious damage Hacking unauthorised access Spreading of a computer crime Computer fraud Physical destruction by vandalism and terrorism

12 ICT Security Policies Hacking – unauthorised access Prevention Define security status and access rights for users All authorised users should be given user names and passwords. This will limit unauthorised access to the network. Hierarchy of Passwords IdentificationUser Name Authentification Password Authorisation What files you can see and what your allowed to do Restrict physical access to files e.g. smart cards to control entrance to rooms. Secured areas to hold servers

13 ICT Security Policies Prevention of malicious damage……Hacking Cont. Biometric scans; such as voice or hand prints; retina scans; Firewalls; a special environment set up to trap a hacker logging in over remote connections. It authenticates messages coming into the network and verifies the legitimacy of the user to enter the network. Proxy servers; This device tries to stop intruders from identifying the IP (Internet Protocol) address of a user workstation accessing the Internet.

14 ICT Security Policies Call Back procedures Some companies operate a dial-back system. A user logs on to a computer which immediately disconnects the line and dials the user back. This would stop a user logging on with someone else's password. Encryption Data transmitted over a network is coded before transmission. This means that anybody intercepting the transmitted data would not be able to understand it. The data needs to be de-coded by the proper recipient. Prevention of malicious damage……Hacking Cont.

15 ICT Security Policies Spreading a computer virus Prevention Don’t’ download unknown programs from the Internet e-mail attachments straight to hard disc. Only use reputable sources. Write protect media so can’t be written onto Don’t copy illegal software Use a virus scanning software and virus eradication program. Make sure this is kept up to date with the latest virus definitions – available from the Internet. Use diskless workstations on networks These are programs introduced into computer systems which destroy or alter files by rewriting over data or by copying themselves over and over again until computer system is full and cannot continue.

16 ICT Security Policies Computer fraud – white-collar crime Bogus data entry when entering data (fictitious bank customer) Bogus output -output may be destroyed to prevent discovery of fraudulent data entry or processing Alteration of files e.g. employee alters salary rate or hours worked Prevention or ‘White Collar’ computer crimes Monitor all programs and users actions should be monitored and logged. All users should be identifiable and all files capable of being audited keep online transaction logs Auditing procedures to detect fraud

17 ICT Security Policies ThreatConsequencePrevention TerrorismLoss of business and income Backups Criminal vandalism/sabotage/ Legal actionRestrict access White collar crimeLoss of reputationAudit trails Transaction logs Floods and fire,Loss of business and income Backups kept offsite Accidental altering of data Loss of business and income Validation Verification Read only / write protection Natural disastersLoss of business and income Online backups kept in different city

18 ICT Security Policies This document aims to reduce the risk from potential threats both Deliberate and Accidental. ICT Security Policy Document

19 ICT Security Policies A Security Policy is a formal document which sets down the rules, procedures and responsibilities associated with the protection of information systems; the hardware and software used to run them and the data they contain. This policy should be written by senior management who have strategic responsibility for the organisation ICT Security Policy Definition What factors should be taken into account when designing security policies?

20 ICT Security Policies The factors to take into account when designing security policies Physical security Prevention of misuse Availability of an alternative computer system and back up power supply Audit trails for detection Operational Procedures* Continuous investigation of irregularities System Access - establishing procedures for accessing data such as log on procedures, firewalls Disaster recovery planning and dealing with threats from viruses Personnel administration Staff code of conduct and responsibilities; staff training Policy and maintenance staff available. Disciplinary procedures.

21 ICT Security Policies *Operational Procedures Disciplinary procedures. Screening potential employees Routines for distributing updated virus information and virus scanning procedures Define procedures for downloading from the Internet, use of USB discs, personal backup procedures Establish security rights for updating web pages Establish a disaster recovery programme Set up auditing procedures (Audit trails) to detect misuse.

22 ICT Security Policies Example ICT Security Policy

23 ICT Security Policies All organisations should have a SECURITY POLICY The first step in creating such a policy is to find out what the RISKS are, and the possible effects upon the company. Known as Risk Analysis.

24 ICT Security Policies Factors determining how much a company spends to develop control, minimising risk by; Identifying potential risks Assessing the likelihood of risk occurring Short and Long term consequence of threat How well equipped the is the company to deal with threat Costs are not always financial;

25 ICT Security Policies 1. What to do before?  Do a ‘ risk analysis’ of potential threats –Identify potential risks –Likelihood of risk occurring –Short and long term consequences of threat –How well equipped is the company to deal with threat  Put preventive measures in place. –Establish physical protection system (firewalls etc.) –Establish security rights for file access and updating web pages –Establish a disaster recovery programme –Set up auditing procedures (Audit trails) to detect misuse  Staff training in operational procedures. –Screening potential employees –Routines for distributing updated virus information and virus scanning procedures –Define procedures for downloading from the Internet, use of USB drives, personal backup procedures –Define staff code of conduct for using computer systems e.g. no abusive emails. No illicit use etc.

26 ICT Security Policies 2. What to do during?  What response should staff make when the disaster occurs? 3. What to do after? Implement recovery measures  Hardware can be replaced.  Software can be re-installed. (or de-bugged by the programming department).  The real problem is the data. No business can afford to lose its data.  Backups of all data should be regularly made. This means that the worst case scenario is that the business has to go back to the situation of the last backup and carry on from there. Backups may take a long time - often tape- streamed at night.  Alternative communication /computer systems may be arranged in case a network goes down or alternative power supply.

27 ICT Security Policies What methods or practices are available to an organisation who wish to protect their ICT systems? Many methods are available, some or all should be used by organisations who want to protect their valuable data. These methods are known as LAYERS of SECURITY (CONTROL)

28 ICT Security Policies Layers of Control Personnel screening Operational security Communications security Authorisation software Terminal use controls Building security Guards, Ids, Visitors passes, sign in/out IT SYSTEMS AND DATA Locks, swipe cards, biometric measures (e.g. fingerprint recognition) Access rights (e.g. no access, read-only, read-write) Automatic callback, encryption, hand-shaking procedures Audit trails, unusual patterns of use, virus checks, backup and recovery procedures Hiring policies, separation of duties, education and training, establishing standards of honesty Espionage, fraud and theft, threats, blackmail Errors in programming, input and output procedures, operations Natural disasters and accidents Invasions of privacy, virus introduction, malicious destruction of data

29 ICT Security Policies Layers of control  Building and equipment security – locks and window grills, guards, alarms and automatic fire extinguishers, Id cards, visitor’s pass  Authorisation software – user ids and passwords  Communications security – Databases vulnerable to outside hackers. Combat illegal access with callback, handshaking, encryption  Operational security – Audit controls track what happens on a network  Audit trail – record that traces a transaction  Personnel safeguards – users and computer personnel within an organisation are more likely to breach security than outsiders

30 ICT Security Policies Case Study; War on the Web Should we be more worried about terrorists using digital weapons rather than chemical and biological attacks? A cyber-terrorist attack on our “critical information structure” – the electronic systems vital for government, armed forces, business, finance, telecommunications, utilities, energy services – could paralyse the country and bring all these systems to a grinding halt. It is not hard to imagine that terrorist organisations are training and preparing hackers and virus writers around the world for large scale, co-ordinated assault that piles attack upon attack until systems fall over. It would be cheap and involve little risk of those involved ever being caught. What can organisations do to protect themselves from cyber- terrorists?

Download ppt "ICT Security Policies Security Policies What is Security?What is a policy? The aims or plan of action of a person or group. School OED Precaution against."

Similar presentations

Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.

BP5- METHODS BY WHICH PERSONAL DATA CAN BE PROTECTED Data Protection.
A-Level Computing data damage and prevention. Objectives To know the dangers associated with a computer system To understand the methods of prevention.

A-Level Computing data damage and prevention. Objectives To know the dangers associated with a computer system To understand the methods of prevention.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Crime and Security in the Networked Economy Part 4.

Crime and Security in the Networked Economy Part 4.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Security, Privacy, and Ethics Online Computer Crimes.

Security, Privacy, and Ethics Online Computer Crimes.
4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.

4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.
© 2003, Educational Institute Chapter 12 Systems and Security Maintenance Managing Technology in the Hospitality Industry Fourth Edition (469T or 469)

© 2003, Educational Institute Chapter 12 Systems and Security Maintenance Managing Technology in the Hospitality Industry Fourth Edition (469T or 469)
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
FIT3105 Security and Identity Management Lecture 1.

FIT3105 Security and Identity Management Lecture 1.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
By Mrs. Smith DATA INTEGRITY AND SECURITY. Accurate Complete Valid Data Integrity.

By Mrs. Smith DATA INTEGRITY AND SECURITY. Accurate Complete Valid Data Integrity.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.
Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.

Computer security virus, hacking and backups. Computer viruses are small software programs that are designed to spread from one computer to another.
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.

Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.

Similar presentations

Ads by Google