SECURITY

• Of the five basic elements of an Information System, DATA is our main concern in relation to security practices.

• Monitoring and controlling its flow of information deals particularly with the storage, retrieval and communication phases of information processing.

• It is the procedures and equipment that are used in these phases that is under scrutiny when looking at enhancing the security of your system.

Why protect and guard data?

• Data is processed into information and information keeps all parts of an organisation informed and running smoothly.

• Information is an asset. It can be bought, sold, stolen, eradicated and modified. It has value.

How is value put on information?

• REPLACEMENT COST • How much would it cost to replace the

information?

• What repercussions will the loss have on the business?

• SENSITIVE NATURE • Exposure of client details could cause a loss of

goodwill for the company and harm those involved.

• Such information is deemed “sensitive”.

• CONTEXT• It is difficult to put value on information since

the value can change when a new policy is constructed.

• The same data can have a higher value to one user than to another.

• LEGAL• Some data must remain unchanged for a given

number of years, due to legal requirements. Receipts, invoices, bill and tax data must be kept for 5 years.

Data Collection Methods

• DATA WAREHOUSING: a term that now applies to large organisations that accumulates databases and accounting details of clients.

• Storage must contain accurate and complete data in order for data mining to take place.

• DATA MINING: a term that refers to the analysis of data within a warehouse (a hard disk or a server).

• Specialists will examine the data for trends in purchasing or trading among certain businesses

• DATA CREEP: This refers to the process of data being gathered and then used for other purposes.

• The information produced from the data is of use to managers for operational decisions, tactical decisions and strategic decisions.

• Thus all organisations must decide what data is valuable and why.

Limiting access to data

Access Control Methods• Doors with locks

• Restricted access to the room that houses the server and access to the server is password protected

• Backup tapes, disks ( CDR, CDRW, ZIP ) are locked away

• Original software CD’s or disks are locked away

• Shredder

Authentication and Identification Methods

• IDENTIFICATION – the method of saying to the organisations that you are a member of that organisation. Eg by username

• AUTHENTICATION – the manner in which an individual establishes the validity of their identity.

There are 3 methods of authentication.

• Something you know eg a combination to a lock, PIN

• Something you possess eg a swipe card, smart card

• Something you are eg fingerprint, voice pattern

Password procedures

• Length: password choices must be at least 6 keystrokes and alphanumeric

• Selection: Password cracking dictionaries will analyse passwords as they are passed to the server

• Ageing: users need to change their passwords at regular intervals. Eg of a decent password: aL1Cb#2R2aD

Equipment employed to limit access

• Biometrics – Finger printing, iris scanning, voice recognition, face recognition and palm prints arc the main biometrics.

• Biometrics is strong because the identification method is part of the individual. Ie it can’t be stolen easy.

Limitations of Biometrics• Iris Scanning – terrifies people when they learn

a ‘laser’ beam is used to scan iris. People with physical disorders eg Parkinson’s Disease, can’t hold their head still, for long enough to take the scan.

• Voice Recognition – common cold could change the voice quality.

• Fingerprints – can be duplicated – although it’s hard to do

Procedures to enhance security of dataNetwork Level security procedures:• Network software can hide or restrict access to

groups of users or individual users.

• It can allow users viewing rights to files and directories, editing rights to given files and delete rights.

Storage security procedures• Storage includes the use of company –

accepted file names and areas of storage.

Backup Methods as Security

• What files are backed up? (How important are they? Critical, important, Routine? )

• How often are they backed up? Every 20 minutes at places like casinos or once a day?

• What method?

• On what medium?

Backup Hardware

• A UPS is an Uninterruptible Power Supply, which is a deep discharge battery that can keep the power on for a given period of time.

• Other backup hardware: Magnetic tape cartridges, CD-R, CD-RW, zip disk, etc.

Communication procedures

• Companies communicate their information in-house by printer, monitor, e-mail, and fax phone.

• It’s very easy for information to get lost, damaged or stolen by careless procedures.

• Users must be educated never to leave workstations unattended or leave important information on the monitor, in printer trays or fax trays.

Encryptions

There are 2 types

• Single Key Encryption: Documents can be sent safely over a network, etc when they’re encrypted first.

• Simple one-way encryption is by the use of password protection. The same password is used to read the document upon receipt.

• Public Key Encryption – this method requires a public key and a private key.

• The public key is given to those who wish to send files, and a private key is used to decrypt the sent files.

• The private key is controlled by one person and is not transmitted is any form.

Stenography• This is another method used to secure contents

of documents.

• Using specialised software, text files are hidden inside larger, inconspicuous files such jpg and wav files.

• The data bits in the text file replace the least significant data bits in the larger file, The larger file will be altered but the differences will be negligible to the human eye.