IT - Unit 2 LO6
6.1 CIA
6.3 Impacts
6.2 Risks
6.4 Policy Protection Measures
6.6 Logical Protection Measures
6.5 Physical Protection Measures
Integrity - Making sure information is maintained, so that it is kept up-to-date, accurate, complete and relevant. An example would be the medical records of students at a school constantly being updated.
Availability - Making sure information is always available to the individuals or groups that need it. An example would be parents’ phone numbers, in case their child is in an emergency.
Confidentiality - Making sure information is only accessible to individuals or groups who are authorised to access it. An example would be the salaries of teachers only being accessible to the headteacher and HR.
Intentional Destruction - A malicious attack on a network computer can delete any file without users knowing.
https://www.bbc.co.uk/news/technology-25506020
Intentional Tampering - A hacker can exploit weaknesses in the network to perform the same harmful attacks on a computer that malware could do.
https://www.theguardian.com/technology/2014/dec/26/xbox-live-and-psn-attack-christmas-ruined-for-millions-of-gamers
Unauthorised Access - an employee who leaves their PC logged on before they leave could be revealing very sensitive data.
http://news.bbc.co.uk/1/hi/uk/1064917.stm
Accidental Loss - An inexperienced employee may not know what data is important, so vital files could accidentally be deleted.
Natural Disasters - In areas of the world that are near plate boundaries, natural disasters can be inevitable, and very harmful to both data and employees.
Failure in security of confidential information - Failure in security of confidential information is a breach in security, keys being stolen, or poor policy. An example of this would be a Tesco employee hacking into Sainsburys’ price lists and changing Tesco’s prices accordingly.
Threat to national security - Multiple times, people have accidentally leaked information that could potentially be a massive threat to national security. For example, in December 2000, an MI5 agent left a briefcase that contained top-secret information on a train. Imagine the threat that could emerge if a terrorist was also on that train, and found that briefcase.
http://news.bbc.co.uk/1/hi/uk/1064917.stm
Loss of service and access - Loss of service and access is being unable to access or get into a server. Examples of this would be high levels of Amazon users overloading a server, or earthquakes causing power cuts.
Loss of information belonging to a third party - Loss of information belonging to a third party means that companies that work with a hacked company are also at risk of a hack. For example, Sony manufactures stereos for BMW cars - if BMW were to get hacked, Sony would be at risk too.
Loss of reputation - Loss of reputation is where a company receives negative press as a result of a risk to information security. This happened in September 2018, where British Airways was hacked, affecting around 380,000 transactions. This caused the company to be fined £183 million in July 2019.
https://www.bbc.co.uk/news/business-48905907#:~:text=British%20Airways%20is%20facing%20a,Information%20Commissioner's%20Office%20(ICO).
Disaster recovery - An area of security planning that attempts to protect organisations from the negative effects of an attack.
Information security risk assessment - Helps organisations manage and identify hazards to information security, whether from an outside source or within the company.
Responsibilities of staff for information security - If staff are trained correctly, they will not leak any details that may risk information security.
Effectiveness of protection measures - What are the strengths and weaknesses of your company’s protection policies?
Staff access rights to information - Certain staff will have exclusive access rights depending on their roles. For example, HR will have information on the pay scale.
Staff training to handle information - Staff trained to follow the proper procedures when handling data, thus protecting it.
Backup systems in other locations - Keeping the same data in multiple locations, like different cities and countries, means if one location is compromised, the data will remain in other locations.
Security staff - Will intimidate possible threats, deterring them from stealing anything.
Placing computers above known flood levels - If a flood happens, the data on the computers will be completely safe.
Shredding old paper-based records - Ensures no-one can look through past records in order to find out anything.
Locks, keypads and biometrics - Used on workstations and the server room access, in order to stop unauthorised people from getting in.
Obfuscation - Scrambling sensitive data in order to make sure it is completely illegible to people trying to steal your data. Useful for credit card numbers, passwords, addresses and other personal information.
Encryption of data at rest - Encrypting data once it has already been sent. This helps to stop hackers from stealing or damaging the data.
Anti-malware applications - These seek out malware on your computer in order to remove it, keeping your data safe from destruction. Examples include AVG, Malwarebytes and McAfee.
Encryption of data in transit - Encrypting data as it is being transferred. This helps to avoid interception of the data.
Firewalls - These monitor and filter incoming/outgoing network traffic, ensuring no harmful data can pass through.
Password protection - Stops hackers, either by using unique passwords for each of your accounts, or locking someone out once they enter too many incorrect passwords. The latter is primarily useful in stopping brute force attacks.
Tiered levels of data access - Different staff getting different levels of access to data.
Loss of intellectual property - Loss of intellectual property would be obtaining a patent or copyright secret that you should not have access to. An example would be James Dyson’s trade secrets getting leaked, causing him to shut down his electric car project and sue his ex-chief executive.
https://www.bbc.co.uk/news/business-42001793#:~:text=Electrical%20firm%20Dyson%20is%20suing,firm's%20founder%2C%20Sir%20James%20Dyson.