ICT+Security+Policies

=Threats= Threats can come from many areas the most common ones are:
 * Viruses
 * Hacking
 * Deliberate abuse by staff
 * Natural disasters e.g. flood, earthquakes, lightning strikes etc.
 * Fire
 * Theft
 * Faulty Hardware or software

Consequenses of losing data
The main consequences of losing important data are:
 * Loss of business income - The company will lose details of customers so the company does not know that the customer has placed an order.
 * Loss of reputation - The organisations will not look good if they lose customer data and cannot look after it properly.
 * Legal Action - By law the organisation has to keep personal data safe.

=Factors to take into account when designing security policies=

Prevention of misuse

 * Physical Methods -
 * Controlling access to the room e.g. keypads, biometric devises
 * Controlling access to the building e.g. security guards
 * Security cameras
 * Software Methods
 * Using log-ins and passwords
 * Levels of access
 * Audit trails - Allow record of the data that has been changed and:
 * Who has changed it
 * When it was changed
 * What changes were made

Firewalls Procedures for Preventing Misuse & the Spread of Viruses
 * System Access
 * System access controls ensure the the data the organisation has is controlled in some way
 * Log-in procedures ensure everyone has a username and password
 * Access Rights
 * Read Only - Cannot alter the data
 * Read/Write - Can read data aswell as altering it
 * Append - Add new records but unable to alter existing records
 * No Access - Cannot open the file
 * Firewall is either hardware or software that works in a network to prevent communication that is not allowed from one network to another.

Disaster Recovery Plan

Back Up and Recovery

Risk Analysis
 * Exam Questions**

Some ICT applications use software which maintains an audit trail. Exaplain what an audit trail does and state why this facility is necessary (4 marks)

An audit trail keeps a record of any data that has been changed as well as who changed it, what changes were made and when it was changed. This facility is necessary because many transaction occur using ICT systems without paperwork being generated, and so an audit trail is the only viable way to keep track of changes and transaction in that system. An organization my need to view the audit trail if there is a problem with a document, e.g. a virus has been introduced. The audit trail will show who and when made this addition and caused the problem. [Mikeyyy :o)] Mike, this is a good answer, for which you would be awarded 3/4 marks. Can anyone see how you could get the final mark?

State five threats to an ICT system and for each one explain how the risk of occurrence can be reduced (5 marks)

Fire - Keep an external backup of all data, to be kept off site in a fireproof safe. Viruses - Use of good anti-virus software, which is updated regularly. Theft - Keep the access windowns and doors to the rooms containing ICT equipment locked and the presence of CCTV cameras would also be a benefit. Deliberate abuse by staff - Ensure that staff only have access to data at their level, which reduces the amount of data they can alter. Also keep a backup of all data & an audit trail. Hacking - Password protect all computer system and ensure the presence of a complex security system including a firewall. Data could also be encrypted to make it meaningless to any potential hacker. [Mikeyyy :o)] Mike, again, a good answer. These are 5 obvious threats and you have given a (brief) explanation of how the risk could be reduced. If this was in full sentences, as I know you will do in the exam, you would get 5/5. Explain what is meant by risk analysis and give an example of how an organsiation would go about producing one (4 marks)