Lo6 student book 1 notes
Download as DOCX, PDF0 likes74 views
The document discusses the principles of information security - confidentiality, integrity, and availability. It explains how these principles impact information holders by requiring that information only be accessed by authorized individuals and groups, that information remains accurate and up-to-date, and that information is always accessible to those who need it. The document also outlines some risks to information security, such as unauthorized access, accidental data loss, intentional data destruction, and data tampering. It notes that such risks can result in harms like loss of intellectual property, loss of access to services, damage to reputation, and threats to national security.
Lo6 student book 1 notes
- 1. Unit 2 Fundamentals of IT, LO 6: Understand Principles of Information Security, Cambridge Technicals in IT@ WQE Sections 6.1, 6.2, 6.3 Book 1 of 3 Page 1 of 4 LO6: Understandthe principlesofinformationsecurity 6.1 Principles of information security, i.e.: • confidentiality – information can only be accessed by individuals, groups or processes authorised to do so • integrity – information is maintained, so that it is up to date, accurate, complete and fit for purpose • availability – information is always available to and usable by the individuals, groups or processes that need to use it Learners should know about the aims of information security for holders of information. 6.1 Principles of information security 1. Confidentiality Legal requirement under the Data Protection Act 1994 Physical measures e.g. keeping data in a lockable cupboard Electronic measures e.g. restricting access to a computer network holding data using a hierarchy of access rights. In a surgery: A doctor will have full read/write access to patient records A nurse will An admissions clerk 2. Integrity Legal requirement to maintain data under the Data Protection Act 1998 Inaccurate data can lead to false conclusions based on false information or time being wasted on phone calls to numbers that no longer exist or are no longer relevant Organisations need a planned pattern of data maintenance: Check the data regularly e.g. email customers to verify their details are correct Report when data is incorrect by passing that detail on to someone in charge e.g. a tutor tries to phone a parent home but the telephone number is wrong – there should be a system in place so that error is reported and corrected. 3. Availability Data should be available to those who need it and in a format that they can use and this data should be kept safe from unauthorised access. Q1. Explain how the concepts of confidentiality, integrity and availability impact on holders of information. ………………………………………………………………………………………………………….. ………………………………………………………………………………………………………..... ……………………………………………………………………………………………………….... ………………………………………………………………………………………………………….. ………………………………………………………………………………………………………..... Name: If data is not easilyaccessible,usersmaydecide to make theirown copies.Thisis a securityrisk – as the more copiesof data there are,the harderthe data to protectand that data maybe modifiedsowe couldendupwith inconsistentdata.
- 2. Unit 2 Fundamentals of IT, LO 6: Understand Principles of Information Security, Cambridge Technicals in IT@ WQE Sections 6.1, 6.2, 6.3 Book 1 of 3 Page 2 of 4 ………………………………………………………………………………………………………….. ………………………………………………………………………………………………………..... 6.2 Risks, i.e.: unauthorised or unintended access to data (e.g. espionage, poor information security policy) accidental loss of data (e.g. human error, equipment failure) intentional destruction of data (e.g. computer virus, targeted malicious attack) intentional tampering with data (e.g. fraudulent activity, hacking) This should lead to an understanding of the risks of breaches in information security and their impact on holders of information. 6.2 Risks Unauthorised or unintended access to data Unauthorised access – is people accessing data that they should not see or use. Reason – Espionage (to gain an advantage over the information holder). Blackmail. Accidental access – eg someone finding a discarded printout containing sensitive data or an employee seeing data on a screen in a public area. Impacts – A competitor may gain an advantage from seeing it Infringement of the Data Protection Act 1998 if includes loss of personal data Accidental Loss of Data Refers to the loss of data itself, rather than a loss of a copy or version of the data i.e. the loss of a printout would not result in a loss of the source of that data. Human Error – someone could delete a file or discard some paperwork accidentally Technical error – an equipment fault could result in the loss of data e.g. hard disk crash could result in a loss of data if it is not backed up (NB the organisation will have breached the Data protection Act 1998 if the lost data included personal information & would be liable to prosecution.) Intentional Destruction of Data This is when someone wants to harm the organisation that holds the data. Examples; X Computer viruses that delete or encrypt data X A targeted attack that involves a third party accessing the data & deleting it. Impactsof losingthe data 1. Replace the data – whichcouldresultina lossof reputationandtrust & costs money 2. Ignore the loss– couldhave a negative future impact 3. Failure to comply with the Data ProtectionAct 1994 – if personaldata couldresultinprosecution
- 3. Unit 2 Fundamentals of IT, LO 6: Understand Principles of Information Security, Cambridge Technicals in IT@ WQE Sections 6.1, 6.2, 6.3 Book 1 of 3 Page 3 of 4 November 2016 All of those hit by the cyberattack were fully reimbursed within a few days and all systems returned to normal. No personal data was stolen. Intentional Tampering with Data This is deliberately changing data in some way e.g. a student may wish to change their exam score and so access a teacher’s laptop. An organisation may wish to change a rival company’s research. 6.3 Impacts of Losing Data to an Organisation 6.3 Impacts,, i.e.: loss of intellectual property loss of service and access failure in security of confidential information loss of information belonging to a third party loss of reputation threat to national security recent cases of failures of information security Loss of Intellectual Property Intellectual property is anything that has been created by an individual eg a written report, a design for a new machine, a piece of artwork, a song, a program etc Loss of Service and Access A hacker who accesses vital log-on information could use services that you have purchased which could result in a total loss of your own service. E.g. a hacker accessing your wi-fi log-on passwords could annoy you by reducing the bandwidth but could also change your password so the wi-fi will be inaccessible in the future. A lost wi-fi password maybe easy to fix at home but an organisation would have to contact a third party and the system would be unusable until the change has been made. Worse still, if passwords were stolen internally there could be a total loss of that system. How do you feel about this? Is it to be expectedthese days/shocking? Impactsof tamperingwith data 1. Anydecisions basedonthatdata wouldbe flawed. 2. A negative effectonthe reputationof thatorganisationastheyare seenashaving poor security
- 4. Unit 2 Fundamentals of IT, LO 6: Understand Principles of Information Security, Cambridge Technicals in IT@ WQE Sections 6.1, 6.2, 6.3 Book 1 of 3 Page 4 of 4 Failure in security of confidential information If data is not kept securely, it is accessible to others – if that data is confidential then that will result in a loss of confidential data. Loss of Information belonging to a third party An attack on a business’s servers not only impacts that business but also any other business or individual it holds data for. Data in the cloud is owned by other businesses so, if the organisation that loses the data provides cloud storage, the data lost will belong to third parties. Loss of Reputation If an organisation fails to keep data safe, they have failed to meet their legal and moral obligations so they will be viewed negatively by many customers and potential customers, leading to lost sales and a drop in income. Threat to National Security National Security is a direct physical threat to a country. However, it could also be a threat to the financial security of the state. Therefore, any data or information stolen could be a threat to national security. Recent cases of Failures of Information Security Student Activity 15 mins : Research a recent failure of information security (you will tell the class of your findings) and complete the table below which focuses on 4 aspects: Name of The Organisation/Business: ………………………………………………………. The cause of the failure The impact of the failure on the business or organisation involved The impact of the failure on members of the public Any action taken by the organisation to reduce the chance of the failure happening again Q3. Explain two ways in which unauthorised access to information may impact on the holders of information. (i)……………………………………………………………………………………………………….. ………………………………………………………………………………………………………….. (ii)………………………………………………………………………………………………………. …………………………………………………………………………………………………………..