Security of Data

1
Security of Data
2
Issues of privacy

• Everyone has a right to privacy the right not
  to have details about our lives to be held or
  circulated without our knowledge.
• Data of a personal nature are regularly collected
  by numerous different organisations for
  example
• Employers hold personnel records that include
  data on
• address, age, qualifications, salary, sick leave,
  dependents and so on
• Stores hold details on
• credit card payments, account history, items
  purchased
• Banks hold details on
• salary, income and withdrawals, direct debits to
  various organisations
• Insurance companies hold details of
• property, cars, accidents, claims and health.

3
Information systems depend on

• Data integrity
• The correctness of the data. Data held in a
  computer system may become incorrect, corrupted
  or of poor quality in many different ways and
  at many stages during data processing.
• Errors on input
• Errors in operating procedure
• Program errors
• Data security
• The safety of the data. Data is vulnerable to
• Theft
• Accidental or malicious destruction

4
Increasing data integrity

• Standard clerical procedures may be documented
  and followed for both input and output.
• Input
• Data entry must be limited to authorised
  personnel only
• In large volume data entry, data may be verified
  (keyed in twice by different operators) to guard
  against keying errors
• Data control totals must be used wherever
  possible to verify the completeness and accuracy
  of the data, and to guard against duplicate or
  illegal entry
• Output
• All output should be inspected for reasonableness
  and any inconsistencies investigated
• Printed output containing sensitive information
  should be shredded after use

5
Increasing data security

• Write-protecting disks
• User IDs and passwords
• Access rights
• Counteracting fraud
• Protecting against viruses
• Communications security
• Disaster planning

6
User Ids and passwords

• Usually give access rights to systems
• Passwords must be at least 6 characters
• Password display must be automatically suppressed
• Files containing passwords must be encypted
• Passwords should be
• Kept confidential
• Not written down
• Not be easily guessed words
• Changed regularly at least every 3 months

7
Access Rights

• In most systems it is not usually necessary for
  any individual user to have access to all data on
  a database
• Passwords will hold details of access modes
• Read-Only
• Read/Write
• No Access
• Data may only be accessible at certain times
• This ensures that users will only have access to
  records that are allowed to see, and may only
  modify records if they are authorised to do so.

8
Counteracting Fraud

• Fraud, malicious damage, or theft of software or
  data, may be due to disgruntled employees. To
  counteract this
• Careful vetting of prospective employees
• Immediate removal of staff who are sacked or
  resign cancellation of their passwords
• Separation of duties
• Prevention of unauthorised access cards, badges
  and locks
• Passwords
• Education of staff challenge strangers, log off
  when not at terminal
• Install security software and appoint staff to
  audit use of system

9
Protection against viruses

• New software should be in tamper-proof packages
• Disallow use of floppy diskettes to import/export
  software
• Use anti-virus software to
• check all floppy disks before use
• Scan emails before they are accepted
• Disallow email attachments

10
Biometric measures

• Biometric methods do not depend upon passwords.
  They use biological features to identify users
• Fingerprint recognition
• Voice recognition
• Face recognition
• Infra-red scans to examine pattern of blood
  vessels
• Iris recognition technology

11
Communications security

• Telecommunications systems are vulnerable to
  hackers
• They use various methods to gain knowledge of
  user IDs and passwords.
• One method to combat this is to use a callback
  system.
• On receipt of call from remote user, host
  computer will automatically call back on a
  prearranged number to verify access authority
  before allowing log on.
• Data encryption can also be used to scramble
  highly-sensitive data

12
Disaster Planning

• If companies fail to plan for computer failure
  through whatever cause the consequences can be
  ruinous
• Loss of business
• Loss of credibility
• Cashflow problems
• Reduced service standards to customers
• Loss of production
• Large companies have comprehensive plans,
  allowing them to be up and running within days of
  major catastrophes. Plans often managed by
  specialist firms
• Smaller companies can survive with less
  sophisticated systems, but some backup system is
  vital

13
Backup strategies

• Periodic Backups - copy files regularly and keep
  them in a safe place
• Weaknesses include
• All updates to a file since last backup may be
  lost
• System may need to be shut down
• Can be extremely time-consuming
• When failure occurs, recovery can be even more
  time-consuming
• A benefit is that files which have become
  fragmented can be reorganised to occupy
  contiguous space when restored resulting in
  quicker access
• Storage is crucial fire-proof safe on-site plus
  a copy taken off-site.

14
Backup strategies

• Simplest for small business
• Back-up entire hard disk at end of each day
• Can consider just backing up data files and only
  copy software programs when they change
• Alternatively, if huge quantities of data are
  involved, backup can be reduced by only backing
  up those files which have changed since the last
  back-up. This is known as an incremental
  backup. This requires special software.

15
Backup hardware

• Small quantities
• Removable disks such as Zip drives. Unit cost
  less than 100, and diskettes hold 250Mb.
• Larger quantities
• Magnetic tape is usually used. Low-cost drives
  can store large amounts of data (2 8 Gb) on
  very small cartridges.
• Rewriteable optical disk drive costs around 250
  and holds about 650Mb
• RAID (Redundant Array of Inexpensive Disks)

16
Backing-up on-line databases

• Database is being constantly updated. Back-up
  methods include
• Transaction Logging
• Information about every transaction is recorded
  on a separate transaction file.
• If systems fails, files can be restored and then
  updated from the transaction file to reflect the
  position immediately before the failure
• RAID (Redundant Array of Inexpensive Disks). This
  technology enables data to be written
  simultaneously to several disks.
• Three copies of a database may be held two
  locally and one on a remote system. If one system
  fails, then data can still be used on either of
  the other two.

17
Factors in back-up strategy

• What to back up?
• How often?
• What medium to use?
• Where to store the backups?
• Who will do them?

18
Recovery procedures

• Keeping backups safe - backup copies need to be
  kept
• in a fireproof safe
• preferably offsite
• How long should you keep backups for? A typical
  strategy is to
• Keep the daily backups for a week
• Keep Fridays backup for a month
• Keep one backup each month for a year
• To prevent mix-ups, give each tape or disk a
  serial number and keep a log book.

19
Recovery procedures

• Testing recovery procedures
• Effectiveness of backup procedures needs to be
  tested on a regular basis
• This will ensure that a business can recover from
  a disaster
• Additional contingency plan needs be developed to
  consider
• Alternative compatible equipment and security
  facilities.
• This may include temporary office space
• Provision of alternative communications links.
• These facilities are usually insured against by
  most sensible companies.