13.

6 Legal Aspects
www. ICT-Teacher.com

Objectives
Corporate IT Security Policy: Understand the need for a corporate information system security policy and the rle it would fill within an organisation. Factors could include prevention of misuse, detection, investigation, procedures, staff responsibilities, disciplinary procedures. Describe the content of a corporate information system security policy. Describe methods of improving awareness of security policy within an organisation, crossreferencing to training and standards.

Objectives
Disaster recovery management: Describe the various potential threats to information systems, e.g. physical security; document security; personnel security; hardware security; communications security; software security. Understand the concept of risk analysis. Understand the commercial need to ensure that an information system is protected from threat. Describe a range of contingency plans to recover from disasters and relate these to identified threats. Describe the criteria used to select a contingency plan appropriate to the scale of an organisation and installation.

Corporate IT Security
Dependency on IT means the integrity and the safety of information kept is highly important. Two possible threats to security are accidental and deliberate loss and damage. Accidental: human error and natural disasters. Deliberate: fraud, sabotage, arson and spying. Threats to security come from within and from outside the organisation. A Corporate IT Security Policy should be wide ranging enough to cover all eventualities.

IT Policy Statement
Covering the use of computers. Users are to read and sign agreement to. Organisations may run training courses for new employees who use computers. Courses cover the main Acts regarding the use of computers in organisations. It security implemented as a cornerstone of the organisations management.

Prevention of Misuse
Not allowing users access to the Operating System and settings. Not allowing key files to be deleted. Allowing restricted use of the Internet including Filtering and Firewalls. Not allowing everyone access to the Internet and e-mail use. Users need a user name and a password. Users have access only to files they normally use in the course of their work.

Detection
Audit trails to discover where misuse has taken place and to identify the employee. Specialist software that will identify an unusual request or unusual use and will flag a message to the security manager. Software that allows the security manager to see who is working and who is playing. A log of access can be saved to build a record of use about employees.

Investigation
Use of software to investigate and gather evidence against a mis-user of the system. Important to have proper evidence against someone accused to ensure fair treatment and keep good industrial relations. In serious cases of misuse the employee could be disciplined, dismissed, or the police involved in very serious cases.

Procedures
User code of practice. Prevention of access to files when not working on them. Rotation of duties, staff have a variety of duties that change regularly.

Staff Responsibility
The organisation has many legal responsibilities, as well as being responsible for its staff. Staff acting irresponsible or illegally can affect the organisation leaving the organisation liable in law. Staff have many legal responsibilities. The organisation needs to ensure none of its staff are doing anything illegal.

Disciplinary Procedures
Procedures will be known by staff when they sign the IT Policy agreement. For less serious misuse a spoken warning may be used first, followed by a written warning on a second occasion, followed by dismissal on a third occasion. Very serious misuse and fraud etc may be followed up with a police investigation.

Contents of an IT Security Policy

The need for a security policy, nature of the files and data the organisation uses. Policy objectives, keeping to the laws of the country, a framework for access to data and unauthorised use, and appropriate action against offenders. Scope of the Policy, including contingency plans and disaster recovery. Responsibility for security, managers and staff. Implementation is about how it will ensure security.

Implementation
Organisational and Procedural Security:
Classification of data, confidential or free; System development by a team of workers; Recovery procedures in any failure; Disaster recovery and back up of files and data; Upgradability in event of hard/software changes; Legal procedures in line with the laws; Personnel controls where no one person has access and control of everything.

Implementation
Physical Security:
From unauthorised access, accidental and deliberate damage, human and natural disasters; Restricted access to computers, to offices, to buildings; Use of equipment for organisational purposes; Security of data, maintenance of equipment, unattended use, fire prevention and detection, disposal of printed information.

Implementation
Logical Security:
Access controls to data and programs through user identity, user passwords, terminal controls, and following up where access was denied.

Network Security:
Again access controls, against hacking and tapping.

Data and Program Integrity:

Accuracy, up-to-date, completeness of data, unauthorised copying of programs and data.

Disaster Recovery Management

Knowing and managing:
what possible threats there are to the system, the chances of them happening, and the measures placed in force to minimise these chances.

Sources are from internal and external. A plan in force to recover and return to normal operations in the event of systems failure.

The Threats
Viruses Hacking Fraud Theft Sabotage Blackmail Espionage Terrorism Vandalism Fire, Flood, Earthquake Power failure Gas leaks Machine breakdown Communications cut Cabling failure Software crash Software failure

The Plan
To ensure operations continue to run after the following disasters:
Loss of computer equipment Loss of services Loss of employees Loss of support services Loss of communications Loss of data and programs

Contingency Plan
A contingency plan is about ensuring the managers of an organisation know what to do in the event of a disaster. The IT system if lost could mean the organisation or business collapses. Down time is the time an organisation is running without its IT system, the shorter the down time the greater the chance of full recovery after a failure.

Back Up
Regular back up copies of data files and software. Back up copies to be tested on different computers to see if they work. These copies must be kept in a secure area from fire, flood and theft. Can be kept in a different site. Plan of duties for staff to implement the program of recovery.

Risk Analysis
Employees need to be aware of the security threats and the consequences of systems failure. Managers to be aware of the value of the resources, the possible risks, and chances of their occurrence.

Consequences
Cash flow, bills not processed. Uninformed decisions due to loss of MIS. Problems with customers going to competitors and suppliers goodwill. Production and services disrupted and late. No proper stock control, too little or too much.

Physical Security
Protection of computers and software by secure areas, restricting access to the equipment. Secure buildings, authorised access only, if breached the computers are locked in rooms. Access to rooms gained by passes / keys. Access to computers gained by unlocking them.

Security
Security by only allowing certain staff access by user identitys, and individual passwords. Certain files are Read Only for some staff. Staff to use a smart card to use the keyboard. Documents and prints locked away, and shredded when finished with. Communication channels encrypted.