13'6 Legal Aspects

1
13.6 Legal Aspects

• www. ICT-Teacher.com

2
Objectives

• Corporate IT Security Policy
• Understand the need for a corporate information
  system security policy and the rôle it would fill
  within an organisation.
• Factors could include prevention of misuse,
  detection, investigation, procedures, staff
  responsibilities, disciplinary procedures.
• Describe the content of a corporate information
  system security policy.
• Describe methods of improving awareness of
  security policy within an organisation,
  cross-referencing to training and standards.

3
Objectives

• Disaster recovery management
• Describe the various potential threats to
  information systems, e.g. physical security
  document security personnel security hardware
  security communications security software
  security.Understand the concept of risk
  analysis.
• Understand the commercial need to ensure that an
  information system is protected from
  threat.Describe a range of contingency plans to
  recover from disasters and relate these to
  identified threats.
• Describe the criteria used to select a
  contingency plan appropriate to the scale of an
  organisation and installation.

4
Corporate IT Security

• Dependency on IT means the integrity and the
  safety of information kept is highly important.
• Two possible threats to security are accidental
  and deliberate loss and damage.
• Accidental human error and natural disasters.
• Deliberate fraud, sabotage, arson and spying.
• Threats to security come from within and from
  outside the organisation.
• A Corporate IT Security Policy should be wide
  ranging enough to cover all eventualities.

5
IT Policy Statement

• Covering the use of computers.
• Users are to read and sign agreement to.
• Organisations may run training courses for new
  employees who use computers.
• Courses cover the main Acts regarding the use of
  computers in organisations.
• It security implemented as a cornerstone of the
  organisations management.

6
Prevention of Misuse

• Not allowing users access to the Operating System
  and settings.
• Not allowing key files to be deleted.
• Allowing restricted use of the Internet including
  Filtering and Firewalls.
• Not allowing everyone access to the Internet and
  e-mail use.
• Users need a user name and a password.
• Users have access only to files they normally use
  in the course of their work.

7
Detection

• Audit trails to discover where misuse has taken
  place and to identify the employee.
• Specialist software that will identify an unusual
  request or unusual use and will flag a message to
  the security manager.
• Software that allows the security manager to see
  who is working and who is playing.
• A log of access can be saved to build a record of
  use about employees.

8
Investigation

• Use of software to investigate and gather
  evidence against a mis-user of the system.
• Important to have proper evidence against someone
  accused to ensure fair treatment and keep good
  industrial relations.
• In serious cases of misuse the employee could be
  disciplined, dismissed, or the police involved in
  very serious cases.

9
Procedures

• User code of practice.
• Prevention of access to files when not working on
  them.
• Rotation of duties, staff have a variety of
  duties that change regularly.

10
Staff Responsibility

• The organisation has many legal responsibilities,
  as well as being responsible for its staff.
• Staff acting irresponsible or illegally can
  affect the organisation leaving the organisation
  liable in law.
• Staff have many legal responsibilities.
• The organisation needs to ensure none of its
  staff are doing anything illegal.

11
Disciplinary Procedures

• Procedures will be known by staff when they sign
  the IT Policy agreement.
• For less serious misuse a spoken warning may be
  used first, followed by a written warning on a
  second occasion, followed by dismissal on a third
  occasion.
• Very serious misuse and fraud etc may be followed
  up with a police investigation.

12
Contents of an IT Security Policy

• The need for a security policy, nature of the
  files and data the organisation uses.
• Policy objectives, keeping to the laws of the
  country, a framework for access to data and
  unauthorised use, and appropriate action against
  offenders.
• Scope of the Policy, including contingency plans
  and disaster recovery.
• Responsibility for security, managers and staff.
• Implementation is about how it will ensure
  security.

13
Implementation

• Organisational and Procedural Security
• Classification of data, confidential or free
• System development by a team of workers
• Recovery procedures in any failure
• Disaster recovery and back up of files and data
• Upgradability in event of hard/software changes
• Legal procedures in line with the laws
• Personnel controls where no one person has access
  and control of everything.

14
Implementation

• Physical Security
• From unauthorised access, accidental and
  deliberate damage, human and natural disasters
• Restricted access to computers, to offices, to
  buildings
• Use of equipment for organisational purposes
• Security of data, maintenance of equipment,
  unattended use, fire prevention and detection,
  disposal of printed information.

15
Implementation

• Logical Security
• Access controls to data and programs through user
  identity, user passwords, terminal controls, and
  following up where access was denied.
• Network Security
• Again access controls, against hacking and
  tapping.
• Data and Program Integrity
• Accuracy, up-to-date, completeness of data,
  unauthorised copying of programs and data.

16
Disaster Recovery Management

• Knowing and managing
• what possible threats there are to the system,
• the chances of them happening,
• and the measures placed in force to minimise
  these chances.
• Sources are from internal and external.
• A plan in force to recover and return to normal
  operations in the event of systems failure.

17
The Threats

• Viruses
• Hacking
• Fraud
• Theft
• Sabotage
• Blackmail
• Espionage
• Terrorism
• Vandalism

• Fire, Flood, Earthquake
• Power failure
• Gas leaks
• Machine breakdown
• Communications cut
• Cabling failure
• Software crash
• Software failure

18
The Plan

• To ensure operations continue to run after the
  following disasters
• Loss of computer equipment
• Loss of services
• Loss of employees
• Loss of support services
• Loss of communications
• Loss of data and programs

19
Contingency Plan

• A contingency plan is about ensuring the managers
  of an organisation know what to do in the event
  of a disaster.
• The IT system if lost could mean the organisation
  or business collapses.
• Down time is the time an organisation is running
  without its IT system, the shorter the down time
  the greater the chance of full recovery after a
  failure.

20
Back Up

• Regular back up copies of data files and
  software.
• Back up copies to be tested on different
  computers to see if they work.
• These copies must be kept in a secure area from
  fire, flood and theft.
• Can be kept in a different site.
• Plan of duties for staff to implement the program
  of recovery.

21
Risk Analysis

• Employees need to be aware of the security
  threats and the consequences of systems failure.
• Managers to be aware of the value of the
  resources, the possible risks, and chances of
  their occurrence.

22
Consequences

• Cash flow, bills not processed.
• Uninformed decisions due to loss of MIS.
• Problems with customers going to competitors and
  suppliers goodwill.
• Production and services disrupted and late.
• No proper stock control, too little or too much.

23
Physical Security

• Protection of computers and software by secure
  areas, restricting access to the equipment.
• Secure buildings, authorised access only, if
  breached the computers are locked in rooms.
• Access to rooms gained by passes / keys.
• Access to computers gained by unlocking them.

24
Security

• Security by only allowing certain staff access by
  user identitys, and individual passwords.
• Certain files are Read Only for some staff.
• Staff to use a smart card to use the keyboard.
• Documents and prints locked away, and shredded
  when finished with.
• Communication channels encrypted.