13.6 Legal Aspects www. ICT-Teacher.com Objectives • Corporate IT Security Policy: • Understand the need for a corporate information system security policy and the rôle it would fill within an organisation. • Factors could include prevention of misuse, detection, investigation, procedures, staff responsibilities, disciplinary procedures. • Describe the content of a corporate information system security policy. • Describe methods of improving awareness of security policy within an organisation, cross- referencing to training and standards. Objectives • Disaster recovery management: • Describe the various potential threats to information systems, e.g. physical security; document security; personnel security; hardware security; communications security; software security. Understand the concept of risk analysis. • Understand the commercial need to ensure that an information system is protected from threat. Describe a range of contingency plans to recover from disasters and relate these to identified threats. • Describe the criteria used to select a contingency plan appropriate to the scale of an organisation and installation. Corporate IT Security • Dependency on IT means the integrity and the safety of information kept is highly important. • Two possible threats to security are accidental and deliberate loss and damage. • Accidental: human error and natural disasters. • Deliberate: fraud, sabotage, arson and spying. • Threats to security come from within and from outside the organisation. • A Corporate IT Security Policy should be wide ranging enough to cover all eventualities. IT Policy Statement • Covering the use of computers. • Users are to read and sign agreement to. • Organisations may run training courses for new employees who use computers. • Courses cover the main Acts regarding the use of computers in organisations. • It security implemented as a cornerstone of the organisation’s management. Prevention of Misuse • Not allowing users access to the Operating System and settings. • Not allowing key files to be deleted. • Allowing restricted use of the Internet including Filtering and Firewalls. • Not allowing everyone access to the Internet and e-mail use. • Users need a user name and a password. • Users have access only to files they normally use in the course of their work. Detection • Audit trails to discover where misuse has taken place and to identify the employee. • Specialist software that will identify an unusual request or unusual use and will flag a message to the security manager. • Software that allows the security manager to see who is working and who is playing. • A log of access can be saved to build a record of use about employees. Investigation • Use of software to investigate and gather evidence against a mis-user of the system. • Important to have proper evidence against someone accused to ensure fair treatment and keep good industrial relations. • In serious cases of misuse the employee could be disciplined, dismissed, or the police involved in very serious cases. Procedures • User code of practice. • Prevention of access to files when not working on them. • Rotation of duties, staff have a variety of duties that change regularly. Staff Responsibility • The organisation has many legal responsibilities, as well as being responsible for its staff. • Staff acting irresponsible or illegally can affect the organisation leaving the organisation liable in law. • Staff have many legal responsibilities. • The organisation needs to ensure none of its staff are doing anything illegal. Disciplinary Procedures • Procedures will be known by staff when they sign the IT Policy agreement. • For less serious misuse a spoken warning may be used first, followed by a written warning on a second occasion, followed by dismissal on a third occasion. • Very serious misuse and fraud etc may be followed up with a police investigation. Contents of an IT Security Policy • The need for a security policy, nature of the files and data the organisation uses. • Policy objectives, keeping to the laws of the country, a framework for access to data and unauthorised use, and appropriate action against offenders. • Scope of the Policy, including contingency plans and disaster recovery. • Responsibility for security, managers and staff. • Implementation is about how it will ensure security. Implementation • Organisational and Procedural Security: – Classification of data, confidential or free; – System development by a team of workers; – Recovery procedures in any failure; – Disaster recovery and back up of files and data; – Upgradability in event of hard/software changes; – Legal procedures in line with the laws; – Personnel controls where no one person has access and control of everything. Implementation • Physical Security: – From unauthorised access, accidental and deliberate damage, human and natural disasters; – Restricted access to computers, to offices, to buildings; – Use of equipment for organisational purposes; – Security of data, maintenance of equipment, unattended use, fire prevention and detection, disposal of printed information. Implementation • Logical Security: – Access controls to data and programs through user identity, user passwords, terminal controls, and following up where access was denied. • Network Security: – Again access controls, against hacking and tapping. • Data and Program Integrity: – Accuracy, up-to-date, completeness of data, unauthorised copying of programs and data. Disaster Recovery Management • Knowing and managing: – what possible threats there are to the system, – the chances of them happening, – and the measures placed in force to minimise these chances. • Sources are from internal and external. • A plan in force to recover and return to normal operations in the event of systems failure. The Threats • Viruses • Fire, Flood, Earthquake • Hacking • Power failure • Fraud • Gas leaks • Theft • Machine breakdown • Sabotage • Communications cut • Blackmail • Cabling failure • Espionage • Software crash • Terrorism • Software failure • Vandalism The Plan • To ensure operations continue to run after the following disasters: – Loss of computer equipment – Loss of services – Loss of employees – Loss of support services – Loss of communications – Loss of data and programs Contingency Plan • A contingency plan is about ensuring the managers of an organisation know what to do in the event of a disaster. • The IT system if lost could mean the organisation or business collapses. • Down time is the time an organisation is running without its IT system, the shorter the down time the greater the chance of full recovery after a failure. Back Up • Regular back up copies of data files and software. • Back up copies to be tested on different computers to see if they work. • These copies must be kept in a secure area from fire, flood and theft. • Can be kept in a different site. • Plan of duties for staff to implement the program of recovery. Risk Analysis • Employees need to be aware of the security threats and the consequences of systems failure. • Managers to be aware of the value of the resources, the possible risks, and chances of their occurrence. Consequences • Cash flow, bills not processed. • Uninformed decisions due to loss of MIS. • Problems with customers going to competitors and suppliers goodwill. • Production and services disrupted and late. • No proper stock control, too little or too much. Physical Security • Protection of computers and software by secure areas, restricting access to the equipment. • Secure buildings, authorised access only, if breached the computers are locked in rooms. • Access to rooms gained by passes / keys. • Access to computers gained by unlocking them. Security • Security by only allowing certain staff access by ‘user identity’s’, and individual passwords. • Certain files are ‘Read Only’ for some staff. • Staff to use a smart card to use the keyboard. • Documents and prints locked away, and shredded when finished with. • Communication channels encrypted.