The diagram shows the levels of security and threats that impinge on a company’s ICT system.
Topic 6 – Legal Issues with ICT
In the exam you are expected to:
In Module 1 we saw that there are three important pieces of legislation that affect the use of computers:
In this topic, we are going to look in more detail about the external pressures on companies that are brought to bear by the need for security and the need to comply with relevant legislation.
If you want to revise this from Module 1, click HERE
The accidental or deliberate destruction of data could have a devastating effect on a company. While paper records were bulky, it was quite difficult to do damage without being noticed. Paper records are surprisingly fire-proof, and many a company has found in the past that their paper records have survived remarkably intact a major fire. They may be a bit singed about the edges and/or soggy, but they could be used.
This is not the case with computer records. They can be altered or even destroyed with just a few keystrokes. Data has to be kept secure from physical or software threats (data security). Data integrity (prevention of accidental or unauthorised alteration) is essential to ensure that the data are of good quality. Security threats are shown in the table:
|
Threat |
Example |
|
Human Error |
Mistakes in entry Program errors Operator error (e.g. loading the wrong disks) |
|
Computer Crime |
Hacking Theft of data Illegal modification of data Viruses and Logic bombs |
|
Natural disasters |
Fire Flood Storms |
|
War and terrorist activity |
Explosive bomb Cyber-terrorism |
|
Hardware failure |
Power failure Disk head crash HDD failure Network failure |
Just hoping and praying that no such problem should affect a company is not an option. Computers are complex devices that are remarkably reliable, but even the best hardware can go wrong. I have experience of this myself. In my job as a teacher, I use a computer a great deal, and several months ago my computer had a major failure of a hard disk drive. While the HDD itself was under guarantee and was replaced, all the data were lost. Fortunately I had most of it backed up in some way or another, so not a great deal was lost in the end.
For a company, such a failure would be crippling, so ICT security must be a strategic issue to be dealt with by the bosses. A risk analysis might include:
The diagram shows the
levels of security and threats that impinge on a company’s ICT system.
It is not unknown for a person posing as an employee or a contractor to walk straight into the room containing a company’s ICT equipment and lift the server. And walk out with it unchallenged.
The obvious ways of keeping unwanted people away from ICT equipment are physical barriers such as locks, grilles security fences to prevent break-ins. Automatic fire protection measures are also common. In earthquake prone areas, the structure of the building is important.
Even genuine employees may have to be restricted. Employees may carry an ID card, which allows them into certain parts of the company’s building, but not into others. The card may have a magnetic stripe, or a chip, or a barcode.
Visitors can be issued with a pass that is valid for the day of issue only. Some passes are treated with a special ink; after a period of time, the word EXPIRED appears.
The visitors are logged into a book, and records are kept of who is in the building and who has left. Visitors are asked to sign out and surrender their passes once their business is done. As well as security, there are important Health and Safety implications. If there were a fire, the log would indicate rapidly if there were a visitor still in the building.
There are various biometric parameters that can be used. These include fingerprint recognition, and iris recognition. The fingerprint is scanned with a special scanner, and the door will unlock only on successful recognition.
User Ids and Passwords are obvious security measures. The problem is that people are not very good with their use:
Some companies insist on changing the passwords every month. Some passwords are random combinations of characters, e.g. 7dX#98Td, which need to be written down, otherwise they would be instantly forgotten. Passwords in computers are encrypted, and there is no way of decrypting them.
Access rights can be built into the software:
Databases can be protected using any of these procedures:
Most networks can carry out audit trails, which can track all the events that go on in a network. These can reveal any abnormal or unauthorised use of terminals on the network. They can tell the ICT administrator:
Audit trail software can also trace all the processing done on a transaction from start to finish.
All companies must have their accounts audited by accountants and this software can be used to show how each figure is arrived at, from the source files, intermediate files, right through to the final figures.
The vast majority of breaches in data security are from within the organisation, and this can come from any level from the computer operators to a company director. They may be motivated by a grudge, financial gain, or by fanatical or irrational behaviour to:
Whatever their motivation, they are in a good position to do it. This can be countered by motivating employees to be alert to security breaches and making a big issue of them to deter computer crime.
Duties can also be
separated so that no one person is responsible for all the steps of a
transaction. This makes it more difficult for a person to perpetrate a theft or
fraud.
Setting Up a Security Policy
Security is an important issue in any organisation, and there will inevitably be a conflict between security and accessibility. A school system is relatively insecure to allow good accessibility by students. A company system would have very strict security. Bringing in data on a floppy disk may result in dismissal.
If nobody abides by the security policy, then it’s useless. Employees must be made aware of the policy and why it’s there. Procedures must be taught, and the norms of ethical behaviour should be instilled as a matter of routine.
A typical security policy would cover:
· Awareness and Education – requirements and timetable;
· Administrative Controls – Formal standards and procedures need to be in place. Personnel are carefully screened during recruitment. Duties are separated (it would require collusion to perpetrate a fraud). Security breaches would be a disciplinary offence.
· Operational Controls – procedures are needed for backing up data. Access to data is controlled by use of smart cards, and/or signing in or out procedures.
· Physical protection of data – Access is restricted to sensitive areas. There is protection from fire and flood. Power supplies should be uninterruptible. There are devices that can do this.
· Access Control to the system – passwords, different levels of access, encryption of sensitive data. Audit controls to detect misuse of the system.
The major issue that a good security policy must have is a detailed disaster recovery plan.
A disaster always comes when it is least expected. It may be from someone spilling a cup of coffee into the computer or a JCB digging through a cable, to a major fire or a massive explosion. A head-crash or other hard drive failure can obliterate all the vital data. The picture shows a scratch on a magnetic surface caused by a headcrash.
It has been shown that for most organisations, they are working at 96 % capacity one day after the disaster, but this falls off to 10 % at the 10th day. It is reckon that 90 % of businesses who lose data cease trading within two years. Of these, 43 % go out of business almost immediately.
If the loss puts public safety in jeopardy, legal action from the Health and Safety Executive will follow. If financial data is put into jeopardy, massive fines can ensue.
Some companies make their business from recovering data from damaged hard drives. This costs a fortune, but is relatively small compared with the losses that would happen otherwise.
Insurance can only cover the replacement costs for hardware and software, not the consequent losses, so it is not a substitute for disaster planning. Also the premiums would be based on whether or not the company had a satisfactory disaster recovery plan or not.
The key point is that a company should be able to be up and running in the shortest possible time. So a security plan would have these elements:
A disaster recovery plan would be based on back-ups, which can be in any of these forms:
One case occurred where a thief walked into a company’s office, bold as brass, and walked off with the file server. Fortunately everything was backed up, so little work was lost. The owner of the company was able to get another file server from a local retailer at very short notice and by the end of the day the company was trading as if nothing had happened.
Even a non-commercial computer user such as a teacher should have a disaster back-up plan. My own consists of having all my data for my job as a teacher on my computer at home, which has a RAID (redundant array of inexpensive disks), and on my laptop computer which I use at work. In my office I also have my old PC that I had at home, on which I put all my work data. Data transfer between the computers is via a flash memory. It’s not perfect, but should the worst happen, I still have my most important data.
http://www.lyonware.co.uk/Disaster-Recovery-Software/Disaster-Recovery-Software.htm
Selecting a Contingency Plan
Extra provision can be costly, but it needs to be compared with the cost of a disaster. These factors need to be taken into account:
The Data Protection Acts of 1984 and 1988 are there to protect the privacy of individuals on whom data are held:
Organisation working with data held on people must have a data protection policy. A typical one might focus on Customer Service and Organisational Culture:
Under the Copyright Designs and Patents Act 1988, it is illegal to copy software and run pirated software. Advice is given to companies by the Business Software Alliance that recommends:
Such procedures might contain:
As well as depriving legitimate software companies and individuals their intellectual copyright, pirate software is often of an inferior quality and may be deliberately, or otherwise, riddled with viruses. As well as the risk of fines or imprisonment, the use of pirate software can lead to critical failures, the introduction of viruses.
“Prevention is better than cure” is an old saw, but very true with the use of computers. Health complaints can arise from bad equipment, bad environment, bad working practices, and so on. The way people interact with computers can have an affect on physical and mental health, including problems like:
Employers should avoid incentive scheme that increase data entry rates which can induce RSI.
Under the Health and Safety at Work Act, employers have an obligation to provide a safe working environment, and employees have an obligation to cooperate with the employer to ensure that all working practices are safe. Employees are obliged also to bring any problem to the employer’s attention and cooperate in the correction of such problems. Good employers will involve staff with the choice of furniture, equipment and software, as well as the arrangement of the office. This gives employees a sense of ownership of their workspace.
Employers must provide workstations that comply with the HSA and must appoint a competent employee recognised as such by the HSE (or an independent professional ergonomist) to consider factors like:
Also good practice includes taking regular breaks. These might be breaks of 30 seconds every five to ten minutes, or ten minute breaks every hour or so. Good coffee facilities are also useful. All these make the working environment so much better, leading to a happy and productive workforce.