Presentation on theme: "ORGANISATIONAL SYSTEMS SECURITY T/601/7312 LEVEL 3 UNIT 5"— Presentation transcript:
1 ORGANISATIONAL SYSTEMS SECURITY T/601/7312 LEVEL 3 UNIT 5
LO3 - Understand the organisational issues affecting the security of IT systems
2 AIM AND PURPOSE OF THE UNIT
Organisations collect, create and manipulate a wide range of data and information; the cost of these activities is often much higher than the organisation realises until they are lost or stolen. Everyone who works with an information system should understand their responsibility to protect the system against theft or loss and all IT professionals need to understand how to support the organisation in protecting its digital assets and hardware. This unit will enable the learner to recognise the importance of protecting systems against any security issues or failures when working with the hardware and software and providing guidance to customers on the security of their systems.Additionally, it will also ensure that learners keep the importance of security at the forefront of their activities in order to identify threats and protect the organisation and its assets as they work with the information system while working towards the qualification as well as in the work place.The aim of this unit is to provide the learner with an understanding of the importance of securing organisational IT systems, the impact of the law on the application of security policies and the range of security threats which must be protected against with an organisation and the tools which are used to provide protection. The learner will be able to apply this knowledge to any organisation through reviewing and making recommendations for improvements.
3 LO3 - Assessment Criteria
Learning Outcome (LO)The learner will:PassThe assessment criteria are the pass requirements for this unit.The learner can:MeritFor merit the evidence must show that, in addition to the pass criteria, the learner is able to:DistinctionFor distinction the evidence must show that, in addition to the pass & merit criteria, the learner is able to:1Understand the impact of potential threats to IT systemsP1Explain the impact of different types of threat on an organisationM1Compare and contrast the impact of different types of threat to different organisation types2Know how organisations can keep systems and data secureP2Describe how physical security measures can aid in keeping systems secureM2Discuss the effectiveness of physical security measures used in an identified organisationDescribe how software and network security can keep systems and data secureM3Discuss the effectiveness of software security measures used in an identified organisationP33Understand the organisational issues affecting the security of IT systemsP4Explain the policies and guidelines for managing organisational IT security issuesD1Recommend modifications to policies and guidelines for managing organisational IT security issuesP5Explain how employment contracts can affect securityD2Review contracts of employment in an organisation and their impact on securityP6Assess the laws related to security and privacy of data
4 Assessment Criterion P4, P5, P6, D1 and D1
P4 The learner should explain at least three different policies and guidelines for managing organisational IT security and give details of the purpose and scope for these. This could be in the form of a report.P5 The learner should evidence at least three different types of employment contract for junior, middle management and senior management and explain how their generic roles and responsibilities and the wording of the contracts might be used to implement the security procedures within an organisation. This could be evidenced as a report with copies of the contracts to support explanations.P6 The learner should assess the laws relating to security and privacy which are relevant to the United Kingdom and consider how they affect institutions. They could relate this to identified organisations to support their work. This could be presented as a report.For distinction criterion D1 the learner must use policies and guidelines relating to information security used within an identified organisation potentially using those reviewed in P4. The learner should describe and comment on the policies and procedures and recommend modifications to them identifying how these recommendations would improve the policies and guidelines. This could be evidenced in the form of a report.For distinction criterion D2 The learner must have the opportunity to review contracts of employment and the components that will enable an organisation to protect themselves. As this is an extension of P5, learners should extend their explanations to review how organisations can further improve their security by including policies within contracts of employment and how this may impact on the organisation as a whole. This could be evidenced through a report or presentation but must include sufficient details to support their review.
5 LO3 - Understand the organisational issues affecting the security of IT systems
The internet has samples of model security policies which are actually in use and the centre will have one too. Learners should research these and obtain copies of one or two comparing their ideas for policies and procedures with those from a real organisation such as the learning centre or an identified organisation. The learner will develop their reasoning so that they are able to move from general discussion to evaluating policies and guidelines which have been designed for a specific use within an organisation.The learner should have a clear understanding of the type of organisation they are working with such as its functions, locations(s) and types of data it uses and then be able to review current policies and procedures for the organisation making recommendations for improvements. The learners should also consider how an organisations policies and procedures are linked to an individual’s contract of employment and the responsibilities and liabilities these place on the employee.With regards to legislation learners should focus on what each of the Acts means, the purpose of the act and the implications for an organisation or individual. With constantly changing legislation learners should review and consider new or outline legislation or revisions that may affect an organisation in this way.
6 P4.1 - Policies and Procedures - Analysis
Every company that uses computers, , the internet, and software on a daily basis should have information technology (IT) policies in place. It is important for employees to know what is expected and required of them when using the technology provided by their employer, and it is critical for a company to protect itself by having policies to govern areas such as personal internet and usage, security, software and hardware inventory and data retention. It is also important for the business owner to know the potential lost time and productivity at their business because of personal internet usage.Without written policies, there are no standards to reference when both sticky and status quo situations arise, such as those highlighted above.So, what exactly are the IT policies that every company should have? There are six areas that need to be addressed:Acceptable Use of Technology: Guidelines for the use of computers, fax machines, telephones, internet, , and voic and the consequences for misuse.Security: Guidelines for passwords, levels of access to the network, virus protection, confidentiality, and the usage of data.Disaster Recovery: Guidelines for data recovery in the event of a disaster, and data backup methods. Technology Standards: Guidelines to determine the type of software, hardware, and systems will be purchased and used at the company, including those that are prohibited (for example, instant messenger or mp3 music download software).Network Set up and Documentation: Guidelines regarding how the network is configured, how to add new employees to the network, permission levels for employees, and licensing of software.IT Services: Guidelines to determine how technology needs and problems will be addressed, who in the organization is responsible for employee technical support, maintenance, installation, and long- term technology planning.Task 1 – P4.1 – Describe for your School why there is a need for an IT policy to be in place and the dangers that exist that the policy is designed to protect against.
7 P4.2 - Policies and Procedures
On a larger scale, company IT policies tend to be standard across sites, the same IT policy in Subway in Chislehurst will be the same as the Subway in Ballymena, Corby, Glasgow. The risks are the same, the policies vary slightly depending on the nature of the business, the information the company manages and the security threats that have been successful or attempted from the past.Staff at these companies will be aware of these policies, specifically when it comes to more sensitive information. Most companies get their staff to sigh an AUP, Acceptable Use Policy. In schools there should be one by the door to every classroom that has a computer.Companies write these to protect themselves and their customers. Using two policies you will need to analyse, compare and review these based on a range of criteria that needs to be set.Task 2 – P4.2 – Using 2 different business models and the Report Template, define the Companies Purpose, Functions, Location and Types of Data they manage from day to day.Bath UniversityCo-opGreggsPrinceton UniversityAsdaMcDonaldsMIT UniversityMorrisonsSubwayPurposeFunctionLocationTypes of DataBusiness 1Business 2
8 P4.3 - Policies and Procedures - Policies
Policies are there to protect customers information, staff details and to protect the company. Writing a policy document makes it legal. All new staff read these and sign an agreement that they understand it. Then it become official. They breach the policy, they signed the agreement. They download at work, they signed the agreement, they look at things they should not, you can see where this is going. Companies need to be protected, policies need to be updated when things change so the company remains protected.And everyone is affected. When a student starts a school they sign the agreement, or their parents do, as do staff. This means we follow etiquette, we do not download, we do not abuse the s, we do not look at inappropriate materials on the internet. Lowest case scenario is a verbal or written warning, or the facility is blocked, is suspended. And as all s and Internet traffic is monitored with a produced log and Internet trail, and as we know this, we abide by the rules.Click here for statistics on why these policies are necessary.Task 3 – P4.3 – Using 2 different business models and the Report Template, define the Policy Purpose and Policy Audience.Policy PurposePolicy AudienceBusiness 1Business 2
9 P4.4 - Policies and Procedures – Password Procedures
While Usernames will be considered public information, passwords are the first line of defence at providing for computer and information security. It is inevitably the individual’s responsibility to maintain the security of their password while maintaining a certain level of complexity within that password as not to allow for breeches of that Username. Usernames and password management is a significant part of an overall solution to improve security. The overall protection of the key assets must begin with the individual who has access to them. Policies outline how Usernames will be created and how a user will be required to choose a password that is considered to be strong given best practices as they exist currently. Additional requirements are usually outlined in policies as will the creation of default passwords, changing of passwords, and resetting of passwords. Each user of computing resources is expected to stick to their company policy.Click here for statistics on why poor policies with passwords.Task 4 – P4.4 – Using 2 different business models and the Report Template, define the Companies Policy on Passwords procedures.Guidelines on User namesGuidelines on PasswordsBusiness 1Business 2
10 P4.5 - Policies and Procedures – Cyber Bullying
Company policies are designed for a reason and the one particular danger that companies always come up with is the effective and abusive use of s at work. There are two dangers involved in these, those who use s trivially and those who use maliciously. Company policy tries to limit the first and demands a halt to the second.Ineffective use of s can include sending trivial s on company time, sending materials that are wrong, images, comments, slanders, using bad language, using inappropriate layouts and manners when sending s to customers. Etiquette, restrictions and monitoring can manage these.Malicious use of s is more dangerous, cyber bullying, threatening behaviour, the spreading of materials such as images, viruses, leaked information, malware etc. These are harder to stop as the s are already internal but they can cause damage to the company, prosecutions, reputations being lost. Click here and here for the damage though inadvertent use.Task 5 – P4.5 – Using 2 different business models and the Report Template, define the Companies Policy on procedures.Ineffective use of sMalicious Use of sBusiness 1Business 2
11 P4.6 - Policies and Procedures – Email Procedures
Cyber Bullying is common in the outside world, s, texts, Facebook comments, tweets etc., it is very easy to get and use IT for these purposes. There are news articles all the time that pick up on these. Policies within businesses are written to limit this down, when someone prosecutes, a company can become involved if it happens in the workplace and is not dealt with. The workplace is a hotbed of tensions, of personalities and potential problems. It is in the companies best interest to reduce down their involvement in this.Monitoring is the simplest ICT method, all s and stored, all internet activity monitored, audit trails and network logs will track all internet activity that goes through the system. Company phones and conversations with clients, customers and suppliers are recorded etc. this constant monitoring and pervasive tagging may seem over the top but it works, staff who are afraid of getting caught will limit their activities.Click here and here for examples of how cyber bullying can affect the reputation and finances of a company.Task 6 – P4.6 – Using 2 different business models and the Report Template, define the Companies Policy on Cyber Bullying and tracking procedures.Cyber bullyingActivity TrackingBusiness 1Business 2
12 P4.7 - Policies and Procedures – Access Privileges
Within every company there is sensitive information, staff details, customer details, reports, staff reviews, medical information and other information that needs to be protected under the Data protection Act. This is a given, information needs protecting but sometime sit also needs to be seen and not changed. Access privileges are set on two levels, staff rights of access and file rights of access.For staff, limiting down folders, hiding information, storing things in different locations etc. this makes it more difficult to illegally or accidentally access, giving staff access privileges such as read rights, copy rights, and delete rights set the network controls on how those files are seen and read. For instance the network manager can see everything because they need to set the rights but is bound by a code of confidentiality, a standard office worker can see some customer information but only through granted access as related to their job. Abusing this privilege or attempting to access materials above their pay grade is considered a breach of the Computer Misuse Act.Click here and here for examples of how abusing access privileges can affect the reputation and finances of a company.Task 7 – P4.7 – Using 2 different business models and the Report Template, define the Companies Policy on Access Privileges procedures.Access PrivilegesBusiness 1Business 2
13 P4.8 - Policies and Procedures – Backup and Disaster Recovery
Backups are vital within a company and disaster recovery plans are linked to the levels, depth and location of these backups. To lose a connection for a minute for some companies can be annoying, possibly expensive, to be down for a day can cause a serious drop in profitability, to be down for a week will break a lot of companies. This is why businesses draw up a disaster recovery plan, and why backing up information, hourly, nightly and weekly is vital to this.How fast a company can recover its systems is the key to this, PSN network was down for several days costing the company in the range of $18bn in reputation and compensation, RBS set aside £125m because of its ICT loss in February The IT disaster recovery plan after the Kobe Earthquake in 1995 was immense, a similar earthquake like March 2011 was less expensive because companies planned for it, had backups, had external sites, had cloud and network storage. For some companies the recovery time was hours.By law, schools backup their files nightly and weekly, keep a backup in a fireproof safe and store a copy of the network off-site. Think of what a large company with a turnover of 100 times a school will need to do.Click here and here for examples of how abusing Backup and Disaster Recovery can affect the reputation and finances of a company.Task 8 – P4.8 – Using 2 different business models and the Report Template, define the Companies Policy on Backup and Disaster Recovery procedures.Backup PolicyDisaster Recovery PolicyBusiness 1Business 2
14 P4.9 - Policies and Procedures – Network Security and Policies
Every new employee signs an AUP agreement, even if they do not physically write it down, all companies with computers have them. The physical and software security on a network is designed to almost all of the breaches that might happen. There are programs installed on most systems that help this, Novell Client, IIS, IP addressing, Login names and passwords, Firewalls, Virus Checkers, Proxy server software.Just having the agreement is half the cure, staff can be fired for computer misuse, they sighed the AUP, they can have their job changed, they signed the AUP, they can have privileges removed, they signed the AUP.Setting user levels also benefits the network Security, setting protocols and rights of access. And then there is external security, SSL, remote access, restricted service access, limited external access to files and more companies are moving across to cloud security for external files. At the end of the day, any company with more than 20 staff will have a network team that spends their days securing the network, finding new breaches, blocking new gaps, locking down new VPN’s, updating banned logs and monitoring incoming, outgoing and internal network activity.Click here, here and here for examples of how abusing Network Security and AUP policies can affect the reputation and finances of a company.Task 9 – P4.9 – Using 2 different business models and the Report Template, define the Companies Policy on Network Security and Policy procedures.Network SecurityAUP PolicyBusiness 1Business 2
15 P4.10 - Policies and Procedures –Physical Controls
Just as policies are in place, computers are locked, windows are protected, software secure, then someone steals the box. Laptops, tablets, phones, memory sticks, portable hard drives, keyboards, mice and even the cables that connect them are at risk. Physical controls vary from company to company depending on the threat and the expense. A school would have locks on the doors, locks on the back of the computer and perhaps smoke alarms and movement sensors in the room. But this is not enough to stop theft or damage and for every computer missing or machine down due to partial or complete damage, there is a loss of business function. So we lock the windows, close the curtain, secure the rooms so no-one is in there without staff presence, security pen mark, infrared marking, we check each room after the lesson is done. But there are still things missing, mice, keyboards, cables unplugged etc.In larger companies the physical controls also include card swipes, keypad security, fingerprint logins, laptop locks, video cameras, grills, screen protectors, guards, dogs, RFID tracking. Some companies even put silent alarms on the doors that destroy hardware that is removed from the room like banks and cash.At the end of the day physical prevention and being seen to be preventing is a good deterrent, specifically against opportunist thieves.Click here, here and here for examples of how abusing Physical Controls can affect the reputation and finances of a company.Task 10 – P4.10– Using 2 different business models and the Report Template, define the Companies Policy on Physical Controls procedures.Physical ControlsBusiness 1Business 2
16 P4.11 - Policies and Procedures –Asset Management
IT asset management is an important part of any business strategy. It usually involves gathering hardware and software inventory information which is then used to make decisions about hardware and software purchases. IT inventory management helps a company manage their systems more effectively and saves time and money by avoiding unnecessary asset purchases and promoting the better use of existing resources. Businesses that develop and maintain an effective IT asset management program further reduce the incremental risks and related costs of advancing IT demands on projects based on old, incomplete and/or less accurate information.Hardware asset management is the management of the physical components of computers and computer networks, from acquisition through disposal. Common business practices include request and approval process, procurement management, life cycle management, redeployment and disposal management.Think of it as replacing broken stuff before it is broken, ordering paper before the paper runs out, replacing IT equipment every 3 years, MOT’ing current hardware, hot- swopping, cascading, and finding new tools for old jobs. Think bathroom, think toilet paper, think Andrew Puppy.Click here, here and here for examples of how abusing Asset Management can affect the reputation and finances of a company.Task 11 – P4.11 – Using 2 different business models and the Report Template, define the Companies Policy on Asset Management procedures.Asset ManagementBusiness 1Business 2
17 P4.12 - Policies and Procedures – User Responsibility
User Responsibility – The AUP policy lays down the rules but these are ethereal, no frivolous s, but what is frivolous. No Internet Searching, but what if it is necessary, how much should be spent finding the right information and what if the link goes somewhere it should not, what about Pop-Ups. And printing, single sided or double, colour or B&W.Self control is a big issue in business, the Water Cooler philosophy, how much down time can a member of staff take advantage of to alleviate stress. Personal responsibility is something that is ingrained into staff in most companies, the love of the job, the devotion to the employer. Happy staff make productive staff. Good internet, and file etiquette is hammered home but it is still something that is specific for the task. If it was the last page in the printer, would you go out of your way to put more paper in.And at what point is it not your job, if a mouse is unplugged should you plug it back in. And tomorrow, and the next day, and every time a certain person walks past your desk. Should you replace the toner cartridge, should you click on the repair button in Windows, should you delete files on a shared drive just because you can.This may all seem trivial but the self responsibility issue in companies can affect productivity, morale, personal space, and can affect customer care.Click here and here for examples of how abusing User Responsibility can affect the reputation and finances of a company.
18 P4.12 - Policies and Procedures – Issue Reporting
Issue Reporting – Most Intranets have a link on them to report a network issue, but all networks have software for recording their own issues. Tracking through network logs, web logs, logs etc. and linking this through the portal allows a network manager to allocate resources and staff to repairs as they happen. For instance a printer log will tell the system when the cartridge is running low or paper is running out, a linked version will then order a replacement.Similarly a web log records activity, looks at patterns, checks visited sites for issues and puts into place protocols that block them or caches them.Staff reporting of issues pre-empts this, reducing down the need to wait for a fault report and allows a quicker turnover of repairs. Good business practice is to take advantage of both of these, personal and log, in order to reduce downtime, improve efficiency and alleviate staff stress.Click here and here for examples of how abusing Issue Reporting can affect the reputation and finances of a company.Task 12 – P4.12 – Using 2 different business models and the Report Template, define the Companies Policy on User Responsibility and Issue Reporting procedures.User responsibilityIssue reportingBusiness 1Business 2
19 D1.1 - Policies and Procedures – Recommendations
For your two companies you will need to make recommendations for the improvements of their policies. Each policy has something that could be made more secure, either relate to their contract of employment or to their hiring, user orRecommend modifications to policies and guidelines for managing organisational IT security issuesTask 13 – D1.1 – Using 2 different business models and the Report Template, recommend modifications to policies and guidelines for managing organisational IT security issues.Business 1Business 2Guidelines on User namesGuidelines on PasswordsIneffective use of sMalicious Use of sCyber bullyingActivity TrackingAccess PrivilegesBackup PolicyDisaster Recovery PolicyNetwork SecurityAUP PolicyPhysical ControlsAssets ManagementUser responsibilityIssue reporting
20 P5.1 - Employment Contracts
All employees have an employment contract with their employer. A contract is an agreement that sets out an employee’s:employment conditionsrightsresponsibilitiesdutiesThese are called the ‘terms’ of the contract. Employees and employers must stick to a contract until it ends (e.g. by an employer or employee giving notice or an employee being dismissed) or until the terms are changed (usually by agreement between the employee and employer). If a person has an agreement to do some work for someone (like paint their house), this isn’t an employment contract but a ‘contract to provide services’.Accepting a contract - As soon as someone accepts a job offer they have a contract with their employer. An employment contract doesn’t have to be written down.Contract terms - The legal parts of a contract are known as ‘terms’. An employer should make clear which parts of a contract are legally binding. Contract terms could be:in a written contract, or similar document like a written statement of employmentverbally agreedin an employee handbook or on a company notice boardin an offer letter from the employer
21 P5.1 - Employment Contracts
Implied terms – These are terms that are automatically part of a contract even if they’re not written down. Examples of an implied term include:employees not stealing from their employeryour employer providing a safe and secure working environmenta legal requirement like the right to a minimum of 5.6 weeks’ paid holidayssomething necessary to do the job like a driver having a valid licencesomething that’s been done regularly in a company over a long time like paying a Christmas bonusIf there’s nothing clearly agreed between you and your employer about a particular issue, it may be covered by an implied term.Collective agreements - An employer may have an agreement with employees’ representatives (from trade unions or staff associations) that allows negotiations of terms and conditions like pay or working hours. This is called a collective agreement. The terms of the agreement could include:how negotiations will be organisedwho will represent employeeswhich employees are covered by the agreementwhich terms and conditions the agreement will coverWritten statement of employment particulars - An employer must give employees a ‘written statement of employment particulars’ if their employment contract lasts at least a month or more. This isn’t an employment contract but will include the main conditions of employment.
22 P5.1 - Employment Contracts
The employer must provide the written statement within 2 months of the start of employment. If an employee works abroad for more than a month during their first 2 months’ employment, the employer must give them the written statement before they leave.What a written statement must includeA written statement can be made up of more than one document (if the employer gives employees different sections of their statement at different times). If this does happen, one of the documents (called the ‘principal statement’) must include as a minimum: the business’s name, the employee’s name, job title or a description of work and start date, if a previous job counts towards a period of continuous employment, the date the period started, how much and how often an employee will get paid.Also hours of work (and if employees will have to work Sundays, nights or overtime, holiday entitlement, where an employee will be working and whether they might have to relocate, if an employee works in different places, where these will be and what the employer’s address isAs well as the principal statement, a written statement must also contain information about how long a temporary job is expected to last, the end date of a fixed-term contract, notice periods, collective agreements, pensions, who to go to with a grievance, how to complain about how a grievance is handled, how to complain about a disciplinary or dismissal decision.Task 14 – P5.1 – Describe in brief terms what a Contract of Employment is.
Unit 2 Computer Systems
C!RS" #$M" % CD"!#&T % MD!L" % '%( S'&LL % CD"!nit ) * Computer SystemsL"+"LLevel )$SS&G#M"#T T&TL"$ssignment )L"CT!R"R%$SS"SSR&SS!" D$T"D"$DL&#" D$T"R"T!R# M$R'"D ,R' T ST!D"#T Student declaration
" dec#re t$t t$is ssi%nment is ## my o!n !or& nd t$e sources of informtion nd mteri# " $'e used (inc#udin% t$e internet) $'e *een fu##y identified nd +ro+er#y c&no!#ed%ed s re,uired.
ASSESSMENT DETAILS & GRADING CRITERIA
"#$% Columns & '( of the ta!le !elow will !e completed once the assignment has !een su!mitted) *lease note that criteria ' evidence should !e aimed to give the learner the maximum grade availa!le within their +ualication "i.e. , *ass, -istinction)
C#T"-T (R T$S' T$S'.GR$D&#G CR&T"R&$ (R T$S'"+&D"#C"/0 "+&D"#C" S""#10 CR&T"R&$ M"T 2P#2P#&+
Set up a standalone computer system installin! hard"are and soft"are components.
a computer system to meet user needs.
&est a confi!ured computer system for functionality.
Underta(e routine maintenance tas(s on a standalone computer system
*+aluate the performanceof a computer system.
*-plain and ustify impro+ements that could be made to a computer system.
'"23 2 4 2es5 P 4 Partially5 # 4 #o
6R"$'D,# ( 7, GR$D"S ,&LL 6" $,$RD"D3
298391555.doc Written By: ‘Kemi Ajose
Verified By: Jude L!ni