Presentation is loading. Please wait.

Presentation is loading. Please wait.

Welcome to the ICT Department Unit 3_5 Security Policies.

Published byStanley Hall Modified over 7 years ago

Similar presentations

Presentation on theme: "Welcome to the ICT Department Unit 3_5 Security Policies."— Presentation transcript:

1 Welcome to the ICT Department Unit 3_5 Security Policies

2 What are we going to cover? The corporate security policy Risk analysis Handling risk Audit

3 What are we going to cover? Security Policy Risk Analysis Handling risks Legal requirements Audit

4 The corporate security policy Must be got right because of cost and user confidence. We have a security policy in order to: Prevent misuse (integrity, loss, privacy) Detection Investigation Procedures Responsibilities Disciplinary procedures Damage limitation Recovery

5 The corporate security policy The security policy must contain: Awareness / education Administrative controls Operational controls Physical protection Access controls to systems Disaster recovery plan

6 The corporate security policy In other words: Prevention Detection Recovery

7 Threat detection What are the threats to security? ACCIDENTS PhysicalLogical Hardware failure, network or power failures Human error “Acts of God”Bugs Configuration faults DELIBERATE PhysicalLogical Theft or damageFraud SabotageViruses and their kin Hackers Piracy

8 Performing a risk analysis The risk must be assessed. Can be conducted by: Looking at past records How much it will cost the company if… High / medium / low Here’s one to look at…..clickclick

9 Performing a risk analysis Consequences include: Interruption of processing Destruction of storage media Disclosure of sensitive information Delayed deliveries Loss of customer goodwill Bad information Corruption of records Slow network Theft of hardware or software Loss of production Loss of money Penalties from authorities Loss of competitive position System failure Business failure

10 Performing a risk analysis Consequences of disaster can include: Interruption of processing Destruction of storage media Disclosure of sensitive information Delayed deliveries Loss of customer goodwill Bad information Corruption of records Slow network Theft of hardware or software Loss of production Loss of money Penalties from authorities Loss of competitive position System failure Business failure

11 Contingency Plan Objectives Limit financial losses Minimise the extent of interruption Define service alternatives Controlled emergency recovery Regain total processing capability Training

12 Avoiding Disaster How do we avoid the disaster in the first place? Tighten Operational Standards Rationalise practises Making sure that hard and software is compatible and therefore transferable Data is inputted – processed – outputted to the right people at the right time Disaster recovery plans Identify users and their roles Identify areas of vulnerability

13 Contingency Plan Criteria used to select a plan Scale of the organisation Nature of the operation Relative costs Likelihood

14 Legislation You must be familiar with the legislation and its purpose before you go any further. Confidentiality and privacy (The DPA) Copyright and software protection (The Copyright and Patents Act Health and Safety (Doh!) ICT and crime (The Computer Misuse Act)

15 DPA Be able to recite the 8 principles Learn exceptions and offences Give as many examples of breaches and how you would prevent them. Relate them to data being held e.g. Putting terminals in non-public places Shredding documents Liability insurance Cost of registration

16 The Computer Misuse Act You must be able to recite the three levels. And have an idea of penalties. Give as many examples of breaches as you can and how you would try and prevent them. Use examples directly related to misuse e.g. Strong rules / codes of practice / procedures (what happens if inappropriate material is downloaded) Staff Training (no excuses) Constant checking Whistle – blowing procedures

17 The Copyright and Patents Act Give as many examples of breaches as you can and how you would try and prevent them. Use examples directly related to this act e.g. Prevention of installing any software Make employees aware of consequences Copyright of software developed on site is held by company (usually) Regular checks of stations Lock down floppies / CD drives etc

18 The Security Policy Remember. You are being tested not only on the prevention, but on the procedures, policies and guidelines that contain the who, where, when and how!

19 Disaster recovery plan Must minimise loss by ensuring safety, minimising damage and enabling recovery to work. Then to minimise the consequent effects. The plan should include: Step by step documentation A list of all critical resources A method for securing all necessary resources What hardware and software are essential Training Providing redundant servers etc Regular drills

20 Audits What is an audit? Essentially it’s a check or survey made by the company (or consultant) to see that all of the hardware and software that the company says its purchased is present and to check that there is no other hard or software present that has not been listed.

21 Audits Why audit? Identify errors or breaches of policy To monitor efficiency Legal requirement Allows better planning Allows standardisation Insurance assessment

22 Audits What are you checking? Software licenses Reconcile records (of hard and software) Data integrity (Which ones stop which security breaches?)

23 Audits How do they check data? Make sure all entries are correct No duplicates Additions (all calculations) are correct Documentation exists

Download ppt "Welcome to the ICT Department Unit 3_5 Security Policies."

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Unit 4- Assignment 3 P5, P6, M2 BTEC Business Level 3.

Unit 4- Assignment 3 P5, P6, M2 BTEC Business Level 3.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Information Technology Control Day IV Afternoon Sessions.

Information Technology Control Day IV Afternoon Sessions.
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.

Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
Business Continuity Planning and Disaster Recovery Planning

Business Continuity Planning and Disaster Recovery Planning
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Security Controls – What Works

Security Controls – What Works
Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.

Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.
Higher Administration

Higher Administration
General Awareness Training

General Awareness Training
Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.

Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.

Similar presentations

Ads by Google