2. What you need to know
•Why do we need to protect data on ICT systems?
•What are the possible threats to an ICT system?
•How can an ICT system be protected?
•What legislation covers ICT systems?
3. Why do we need to protect data on ICT systems?
Here are some key reasons why the data on an ICT system, and the system itself
must be protected.
•Privacy of data – your (and my) personal details might be held on the system
•Monitoring of ICT users – what have you been up to? Who else knows?
•Identity theft – your identity and money is at risk if you’re not careful
•Threats to the system – is it wise to drink coffee next to a machine or let someone
log in as you?
•Malpractice & crime – is someone doing something wrong or are they actually
breaking the law?
4. What are the possible threats to an ICT system?
Any threat to a system is dangerous. Some threats are more likely to
happen than others and the outcome can vary from mild annoyance
to complete loss of h/w, s/w and data
The biggest threat to an ICT system is… the user of the system
Other threats include:
•Natural hazards (earthquake, lightning etc)
•Faulty h/w or s/w
•Viruses/worms/trojans
•Spyware
•Spam
•Hacking
•Fire
•Loss of power
5. Malpractice & Crime
Both malpractice and crime are threats to a system. Malpractice means
doing something that is wrong/improper or careless. A crime obviously
means something a bit more serious as you are breaking the law
Examples of malpractice
•Not logging off when finished with the system
•Using the system for unauthorised uses
•Giving user ID & password to someone else
•Not backing up your work
Examples of crime
•Hacking
•Piracy
•Spreading viruses
•Theft of data
•Destruction of data
•Fraud
6. Threats to a system can be INTERNAL or EXTERNAL dependant on whether
they are from within or from outside the organisation. Typically hackers will
be external unless they are an employee wanting to gain access to part of the
system that they are not normally allowed to access.
7. How can an ICT system be protected?
ICT systems can be protected in many simple ways
•Train staff to use the systems correctly
•Have an acceptable use policy (AUP) and documented procedures
•Enforce user ID’s and passwords
•Have access levels to restrict user access to data
•Ensure the use of a strong password that is change regularly
•Install, run and regularly update anti-virus software to detect and neutralise
viruses, spyware and other nasties
•Encrypt data to ensure that those who steal it cannot use it
•Install and use a firewall
•Use biometrics to restrict access to systems
8. What legislation covers ICT systems?
•Computer Misuse Act (1990)
•Copyright, Designs & Patents Act (1988)
•Regulation of Investigatory Powers Act (2000)
•Data Protection Act (1998)
Please note that the laws cannot protect the ICT system
or the data it holds but can allow for the perpetrators to
be prosecuted if they are apprehended
9. Computer Misuse Act (1990)
Used as a deterrent to those who like to “explore” ICT systems, look
at data/information that they shouldn’t and possibly commit fraud
and those who may alter or destroy data maybe by planting viruses.
The Act has 3 sections
Section 1 Unauthorised access
Penalty max 2 years or a fine or both
Section 2 As section 1 + committing a further offence such as
fraud
Penalty max 5 years or a fine or both
Section 3 As section 1 + modifying data
Penalty max 10 years or a fine or both
10. Copyright, Designs & Patents Act (1988)
Allows original work by authors, artists, software companies, recording
artists etc to be protected against illegal copying for between 50 – 70 years.
Copying s/w or music to distribute is illegal. Having possession of
equipment to copy files is illegal.
Exceptions
•If copying or performances are done for charity or royalties are collected
and paid to the author it is OK.
•If you are copying to create a legal archive it is OK
•Copying for academic research is OK
Typically used by Trading Standards to prosecute traders at car boot
sales, other markets and on eBay.
Maximum sentence is 2 years and a fine of £50 000
11. Regulation of Investigatory Powers Act (2000)
A newish piece of legislation that allows organisations to record and
monitor information about you.
Makes legal telephone taps, interception of web traffic and emails, use
of surveillance cameras, police ANPR systems etc, require you to hand
over encryption keys so your data can be read.
When introduced it was called a snoopers charter as it allowed many
organisations to monitor what you are up to.
12. Data Protection Act (1998)
The only law that protects YOU!
Has a number of principles that all companies must adhere to if they collect
personal data (data from which a single living being can be identified) and
hold it for more than 40 days in a ICT system
There are a number of exceptions that allow data to be held without your
knowledge e.g. crime, national security etc
Definitions you need to know
•Data subject
•Data user
•Data controller
•Information commissioner
•The 8 principles
•Rights of a data subject
•The main exceptions both full and partial