Unit 6 - Information Security - Coggle Diagram
Unit 6 - Information Security
6.1 Principles of information security
- Information can only be accessed by certain individuals. Eg: headteacher and having info on salary wages. RL example: nurse fined for illegally accessing records
- Information has to stay up to date, accurate and fit for purpose. Eg. location address and number of a company. RL example: Amazon packages lost due to wrong address put in by customers.
- Information has to be accessible at all times. Eg. emergency phone numbers used for school if student gets injured.
Failure in security of confidential information
- due to a breach in security, Eg websites and servers being hacked, information being used against. Poor policy is also a reason for this. RL example: Fashion retailer brand exposes 7 million customer records (intentional tampering, accidental loss)
Loss of information belonging to a third party
- when a business that works with someone else loses data. Eg. BMW and Sony work together, but Sony gets hacked which affects BMW. RL example: Third party purchases from Amazon delayed by weeks/months
Loss of service and access
- losing access to a website due to internet traffic, a virus or hack affect, causing a waiting time. Eg. website getting hacked and information getting leaked from a company. RL example: UCAS website down on Results day. (intentional destruction, Natural disasters)
Loss of reputation
- result of a well known company mishandling information, discouraging people from using the companies resources. Eg. Apple contacts leaked, people would stop using Apple. RL example: British Airways fined £183 mil for data breach. (Intentional destruction/tampering)
Loss of Intellectual property
- obtaining private and valuable information for a certain purpose. Eg Trade secrets being stolen by a company, stealing the coca cola recipe and using it for yourself. RL example: James Dyson sacked chief executive for leaking Dyson company secrets. (Unauthorised access, Accidental loss)
Threat to national security
- a risk affecting huge amounts of people. Result of breach, stolen property, virus. Eg. CIA agent loses files on location details, and someone w malicious intent gets a hold of this information. RL example: MI5 boss loses laptop (accidental loss, natural disaster)
6.4 Protection Measure - Policy
- set of procedures to ensure a process of recovery of documents.
Prevention - Detection - Correction
. Eg. Website experiencing DDoS attack
Information security risk assessment
- uses a risk evaluation to ensure safety on certain information. It identifies vulnerabilities, threats and risks to figure out a way to mitigate these issues
Responsibilities of staff for security of information
- ensures that information held responsible by employees is safe and secure. Eg. encrypting information online (two factor authentication) and regular password changes. Risk of forgetting password or the password change.
Effectiveness of protection measures
- assesses an individual solution taking place. Used to ensure that the software/hardware/device used is useful to get rid of a risk. Eg. Making sure Firewall is disabling malware from entering the computer system.
Staff access rights to information
- information can only be accessed by certain individuals. Eg. only headteacher can access pay slip wages.
Training of staff to handle information
- ensures security on private information by training staff to properly secure information. trained to secure this information by using special software, passwords, encryption.
6.5 Protection Measure - Physical
Backup systems in other locations
- places sensitive information to an offsite location where it isn't prone to breaches or natural disasters. Eg. Cloud, but it can be breached. Fireproof safes is effective.
(Intentional tampering, Intentional Destruction)
- deterrent to keep people away from sensitive information. Type of staff depends on the value of the data.
Placing computers above known flood levels
- prevents electrical systems from getting damaged. Eg. placing Computers on the second floor.
Shredding old paper based records
- ensures that no one can access sensitive information that has served its purpose, using a shredder. Ensures confidentiality.
Biometrics, Locks, Keypads
- encryption that ensures safety. Locks - least expensive and versatile, but easiest to open. Keypad - more secure and inexpensive, easy to crack (shoulder surfing). Biometrics - cannot be copied by anyone, very expensive.
6.6 Protection Measure - Logical
- purposely makes data unintelligible to ensure safety and protection. Eg. Code is obfuscated so that it can't be modified or stolen. Can be carried out by individuals or a specialist software.
Encryption of data in transit
- encrypts data that is being transferred to a device/s. Protects from vulnerabilities such as malware attacks and viruses.
Anti malware applications
- prevent malicious software (Trojan horse, Adware, Ransomware, Worm, Virus etc.) from appearing on a computer system.
Encryption of data at rest
- Encrypts data that is being held in one location. two factor authentication, biometrics, obfuscation etc.
Firewalls (hardware and software)
- scan incoming and outgoing traffic to catch malevolent software. It prevents unauthorised programs from accessing the network, suitable for businesses.
- encrypts data with chosen or randomised numbers, letters and symbols.
Tiered level access to data
- limits the amount of authorisation or need to access certain sensitive data. Eg. Nurse will have medical information, but not their school grade information (isn't needed).
6.2 Security Risks
Unauthorised/Unintended Access to Data
- when data gets leaked due to poor security policy. Eg. Company with weak password on their website gets breached and customer details are stolen. RL example: 18,000 Covid test results published by mistake.
Links w Loss of IP, failure in security of information and Loss of reputation
- when data is lost or stolen due to human error. Eg. Dropping an USB stick, leaving devices in public areas etc. RL example: MI5 agent leaves laptop on train.
Links w Threat to national security, Loss of IP, and loss in security of information
- data taken on purpose due to a malicious attack. Eg. disrupt devices by setting viruses that were hidden in emails. RL example: Ransomware computer attacks California schools.
Links w Loss of service/access, reputation and third party info.
- Hacker takes over computer system. Eg. Company suffering DDoS attack and having to pay fine for customer lost details. RL example: Fancy bear leaks information on professional players.
Links w Threat to national security, Loss of reputation, Failure in security of confidential information
- When natural disasters affect a loss in data stored on computer systems etc. Eg. Flood happens in a business, and all computer systems get damaged and therefore losing confidential information such as payments. RL example: 2004 boxing day tsunami.
Links w loss of service/access, reputation and threat to national security.