LO6

Cards (38)

  • Password protection  
    A password could be applied to the file, folder or storage device in which the file is held. This method of protection is effective if the password is strong, and, in most cases, dissuades the casual hacker who simply wants to take a look at your data. However, unless you are using a really complicated password, determined hackers will eventually get into a file. 
  • Encryption of data in transit 
    Daat in transit refers to data that is being sent between two users. Generally, this could be via email you should be aware that there are many ways in which data could be transferred. As with data at rest, it is good practice to protect data while it is in transit. This protects against data interception as well as theft of the device being used to transport data.  
  • Encryption of data at rest 
    Data at rest refers to data that is stored on digital media while it is not being transferred between devices. It is becoming common practice to encrypt data while it is stored, as one can never be sure when a hacker may attempt to get into a device, or if a device may be lost or stolen. 
  • obfuscation 
    Purposefully making something unintelligible so that it cannot be understood. A human cannot read obfuscated code but, as the meaning remains the same, computers can still understand it. Obfuscation can be carried out by individuals or, more commonly, by specialist software.  
  • Anti-malware applications 
    Any software that protects a computer from malware would fit into this category. Anti-virus protection is the most common generic type but other types of software, such as popup blockers or spyware, would also be included. 
  • firewalls 
    Monitor the traffic in and out of a network, any traffic that does not meet the rules for the firewall will be refused passage in or out of that network. Therefore, data is protected from unauthorized access from an organization, as well as being protected from being sent out of a network.  
  • Tiered levels of access to data 
    The application of the staff access rights policy and is the process of making certain information only accessible to certain staff. Depending on the access relevant to a person's job role they may not have any access to certain information store on the system.  
  • Locks & keypads 
    A lock can be used to prevent access to server rooms or sensitive data stores. Only authorized personnel with the right key or the code for the keypad will have access.  
  • biometrics 
    Biometric devices require the input of a human characteristic (fingerprint, iris or voice scan) 
  • RFID and tokens 
    Radio-frequency identification uses electromagnetic fields to attach tags to physical objects.  
    RFID tags can be embedded within 'dumb' objects such as clothing, packages and animals.  
    RFID is used with security tokens (such as an ID keycard) to permit the access of authorized people to certain areas. 
    RFID can be used by IT companies to track equipment and manage access.  
  • Security staff 
    Staff may be employed to physically prevent unauthorized people from accessing certain areas of a building where sensitive information is stored.  
    They may check ID keycards or use surveillance like CCTV to monitor who is entering and exiting a secure area.  
  • backup 
    Backups should  be taken regularly and stored at a secure location away from the main site. 
    Backups could also be stored on cloud servers so that any damage to the organization's building will not affect the backup as well. 
  • Shredding 
    The cutting up of documents (paper or CDs) into small pieces so that they cannot be reassembled and read. Sensitive data on paper or optical disc should be shredded when no longer required.  
  • Location of devices 
    Placing computers and other devices above known flood levels, this will protect data from being damaged through natural causes such as flooding. Placing machines on a second floor, to where flood levels are unlikely to rise, is a simple form of protection.  
  • Biometrics: the measurement and statistical analysis of peoples behavioral characteristics.  
  • Loss of intellectual property 
    'intellectual property' refers to anything that an organization or individual has designed, developed or created themselves. 
    Competitors could use the stolen data as an advantage. 
    Impact depends on how easy it is for the lost data to recollect or recreate. 
  • Loss of service and access 
    If usernames and passwords are stolen then individuals may be unable to access services that they need or have paid for. 
    Other services can be targeted with malicious attack such as ddos attacks so user cannot log in to web pages or services. 
  • Failure in security of confidential information  
    Confidential information is of a highly sensitive nature and could have negative impacts if in the hands of unauthorized personal 
    Could lead to a loss of reputation as it can be seen as ineffective at protecting data. 
    Lead to legal consequences under the data [protection act 2018  
  • Loss of information belonging to a third party  
    If services are hacked or taken offline then customer especially those who pay for the services will be furious.  
    Can lead to a loss of reputation, trust and legal proceedings 
  • Loss of reputation 
    Data loss can immediately cause a loss of reputation and cause customers to look somewhere else and choose their competitors.  
    Unable to keep their legal and moral duty of keeping information safe could lead to a loss of trade, resulting in reduced earnings and sales.  
  • Threat to national security 
    If classified data of a classified nature fall into the hands of hackers who intend to bring harm to others. 
    Spies of foreign countries or terrorists could use the data to target vulnerable locations. 
    Threats could be of economical nature if large amounts of money are stolen or redirected to malicious bodies.  
  • Unauthorized or unintended access to data 
    e.g. espionage, poor information security policy. 
    Any time data is seen or used by those who should not see or use it. The reasons may be deliberate or accidental. 
    Impacts: competitors may gain an advantage from seeing it,  
  • confidentiality 
    Information can only be accessed by individuals, groups or processes authorized to do so 
  • integrity 
    Information is maintained, so that it is up to date, accurate, complete and fit for purpose 
  • availability 
    Information is always available to and usable by the individuals, groups or processes that need to use it 
  • staff responsibilities:
    companies must have sufficient and effective protection measures in place so that the staff are confident in their role and know responsibilties of information security.
  • staff responsibilities:
    clearly assigning specific people to roles esures that they know what their job is and that they are responsible for data lost. organisations need to consider which members have access rights to certain information. staff should be trained so that they know how to handle information including basic data security tecniques and how to protect data from unathroised access and loss.
  • disaster and recovery planning:
    it is vital that a detailed and effectvie disastr recovery policy is in place in the event of an unexpected disaster that leads to data loss.
    disasters include natural disasters (fires, floods, lightning), hardware failure (power suplly unit failing), software failure (virus damage) and malicious damages (hacking).
  • before the disaster:
    • all possible risks should be analysed to spot weaknesses in planning.
    • preventative measures should be taken e.g. making rooms flood proof.
    • staff training should be doen to inform staff on what to do in the event of a disaster.
  • during the disaster:
    • staff response is very important- employees should follow their training.
    • contingency plans should take place whilst disaster is taking place such as uploading recent data to cloud storage.
  • after the disaster:
    • recovery measures should be followed, such as using backups to repopulate computer systems.
    • replacement hardware needs to be purchased for damaged hardware.
    • software needs to be reinstalled on the new hardware.
    • disaster and recovery plans should be updated and improved.
  • assessment and effectiveness:
    organisations should conduct information security risk assessments periodically to ensure their physical and logical measures are up-to-date and they provide the most effective methods of protection. there may be training drills of what should happen in the event of a disaster so that the company is prepared. the testing can help identify any weak-points and fix the vulnerabilities.
  • Accidental loss of data 
    e.g. human error, equipment failure. 
    Accidental loss refers to a loss of data itself rather than a loss of a copy or version of the data 
    Can be caused by human error 
    Can be caused by a technical error or equipment fault- backup failure. 
    Impacts: if the lost data Is personal- DPA breach- prosecution. 
  •  Intentional destruction of data 
    e.g. computer virus, targeted malicious attack generally seen as being motivated by a desire to harm the organization that holds the data. Examples include computer viruses that delete or encrypt data that is held or targeted attack that involves a third party accessing the data and deleting it. 
    Two options if data is lost- 1. data needs to be replaced, which could result in loss of reputation and trust  as well as costing money 2. the loss can be ignored but this means any positive impact of being able to use the data is also lost. 
  • Intentional tampering with data 
    Tampering with data means that data is changed in some way, but is still available.  there are a number of reasons for this.  the impact on the data the data-holding organization would be that decisions based on that data would be flawed. A secondary impact may be a negative effect on the reputation of that organization, as they are seen as having poor data security.  
  • Before the disaster  
    • All possible risks should be analysed to spot weaknesses in planning. 
    • Preventative measures should be made e.g. flood-proofing rooms 
    • Staff training should take place  
  • During the disaster 
    • Staff response is very important- they should follow training and ensure protection measures are in place 
    • Contingency plans should be implemented e.g. uploading recent data to cloud storage 
  • After the disaster 
    • Recovery measures should be followed  
    • Replacement hardware needs to be purchased for damaged equipment 
    • Software needs to be reinstalled on new hardware 
    • Disaster recovery plans should be reviewed and updated and improved.