13.6 Legal Aspects by liuqingyan


									13.6 Legal Aspects
    www. ICT-Teacher.com
• Corporate IT Security Policy:
• Understand the need for a corporate information
  system security policy and the rôle it would fill
  within an organisation.
• Factors could include prevention of misuse,
  detection, investigation, procedures, staff
  responsibilities, disciplinary procedures.
• Describe the content of a corporate information
  system security policy.
• Describe methods of improving awareness of
  security policy within an organisation, cross-
  referencing to training and standards.
• Disaster recovery management:
• Describe the various potential threats to
  information systems, e.g. physical security;
  document security; personnel security; hardware
  security; communications security; software
  Understand the concept of risk analysis.
• Understand the commercial need to ensure that
  an information system is protected from threat.
  Describe a range of contingency plans to recover
  from disasters and relate these to identified
• Describe the criteria used to select a contingency
  plan appropriate to the scale of an organisation
  and installation.
        Corporate IT Security
• Dependency on IT means the integrity and the
  safety of information kept is highly important.
• Two possible threats to security are accidental
  and deliberate loss and damage.
• Accidental: human error and natural disasters.
• Deliberate: fraud, sabotage, arson and spying.
• Threats to security come from within and from
  outside the organisation.
• A Corporate IT Security Policy should be wide
  ranging enough to cover all eventualities.
        IT Policy Statement
• Covering the use of computers.
• Users are to read and sign agreement to.
• Organisations may run training courses for
  new employees who use computers.
• Courses cover the main Acts regarding the
  use of computers in organisations.
• It security implemented as a cornerstone
  of the organisation’s management.
       Prevention of Misuse
• Not allowing users access to the
  Operating System and settings.
• Not allowing key files to be deleted.
• Allowing restricted use of the Internet
  including Filtering and Firewalls.
• Not allowing everyone access to the
  Internet and e-mail use.
• Users need a user name and a password.
• Users have access only to files they
  normally use in the course of their work.
• Audit trails to discover where misuse has
  taken place and to identify the employee.
• Specialist software that will identify an
  unusual request or unusual use and will
  flag a message to the security manager.
• Software that allows the security manager
  to see who is working and who is playing.
• A log of access can be saved to build a
  record of use about employees.
• Use of software to investigate and gather
  evidence against a mis-user of the system.
• Important to have proper evidence against
  someone accused to ensure fair treatment
  and keep good industrial relations.
• In serious cases of misuse the employee
  could be disciplined, dismissed, or the
  police involved in very serious cases.
• User code of practice.
• Prevention of access to files when not
  working on them.
• Rotation of duties, staff have a variety of
  duties that change regularly.
         Staff Responsibility
• The organisation has many legal
  responsibilities, as well as being
  responsible for its staff.
• Staff acting irresponsible or illegally can
  affect the organisation leaving the
  organisation liable in law.
• Staff have many legal responsibilities.
• The organisation needs to ensure none of
  its staff are doing anything illegal.
     Disciplinary Procedures
• Procedures will be known by staff when
  they sign the IT Policy agreement.
• For less serious misuse a spoken warning
  may be used first, followed by a written
  warning on a second occasion, followed
  by dismissal on a third occasion.
• Very serious misuse and fraud etc may be
  followed up with a police investigation.
Contents of an IT Security Policy
• The need for a security policy, nature of the files
  and data the organisation uses.
• Policy objectives, keeping to the laws of the
  country, a framework for access to data and
  unauthorised use, and appropriate action against
• Scope of the Policy, including contingency plans
  and disaster recovery.
• Responsibility for security, managers and staff.
• Implementation is about how it will ensure security.
• Organisational and Procedural Security:
  – Classification of data, confidential or free;
  – System development by a team of workers;
  – Recovery procedures in any failure;
  – Disaster recovery and back up of files and data;
  – Upgradability in event of hard/software changes;
  – Legal procedures in line with the laws;
  – Personnel controls where no one person has
    access and control of everything.
• Physical Security:
  – From unauthorised access, accidental and
    deliberate damage, human and natural
  – Restricted access to computers, to offices, to
  – Use of equipment for organisational purposes;
  – Security of data, maintenance of equipment,
    unattended use, fire prevention and detection,
    disposal of printed information.
• Logical Security:
  – Access controls to data and programs through
    user identity, user passwords, terminal
    controls, and following up where access was
• Network Security:
  – Again access controls, against hacking and
• Data and Program Integrity:
  – Accuracy, up-to-date, completeness of data,
    unauthorised copying of programs and data.
Disaster Recovery Management
• Knowing and managing:
  – what possible threats there are to the system,
  – the chances of them happening,
  – and the measures placed in force to minimise
   these chances.
• Sources are from internal and external.
• A plan in force to recover and return to
  normal operations in the event of systems
                The Threats
•   Viruses           •   Fire, Flood, Earthquake
•   Hacking           •   Power failure
•   Fraud             •   Gas leaks
•   Theft             •   Machine breakdown
•   Sabotage          •   Communications cut
•   Blackmail         •   Cabling failure
•   Espionage         •   Software crash
•   Terrorism         •   Software failure
•   Vandalism
                The Plan
• To ensure operations continue to run after
  the following disasters:
  – Loss of computer equipment
  – Loss of services
  – Loss of employees
  – Loss of support services
  – Loss of communications
  – Loss of data and programs
          Contingency Plan
• A contingency plan is about ensuring the
  managers of an organisation know what to
  do in the event of a disaster.
• The IT system if lost could mean the
  organisation or business collapses.
• Down time is the time an organisation is
  running without its IT system, the shorter
  the down time the greater the chance of
  full recovery after a failure.
                Back Up
• Regular back up copies of data files and
• Back up copies to be tested on different
  computers to see if they work.
• These copies must be kept in a secure
  area from fire, flood and theft.
• Can be kept in a different site.
• Plan of duties for staff to implement the
  program of recovery.
            Risk Analysis
• Employees need to be aware of the
  security threats and the consequences of
  systems failure.
• Managers to be aware of the value of the
  resources, the possible risks, and chances
  of their occurrence.
• Cash flow, bills not processed.
• Uninformed decisions due to loss of MIS.
• Problems with customers going to
  competitors and suppliers goodwill.
• Production and services disrupted and late.
• No proper stock control, too little or too
          Physical Security
• Protection of computers and software by
  secure areas, restricting access to the
• Secure buildings, authorised access only,
  if breached the computers are locked in
• Access to rooms gained by passes / keys.
• Access to computers gained by unlocking
• Security by only allowing certain staff
  access by ‘user identity’s’, and individual
• Certain files are ‘Read Only’ for some staff.
• Staff to use a smart card to use the
• Documents and prints locked away, and
  shredded when finished with.
• Communication channels encrypted.

To top