Data security is about keeping data safe.

Many individuals, small businesses and

major companies rely heavily on their computer systems.
If the data on these computer systems is damaged, lost, or stolen, it can lead to
disaster.
Key threats to data security
Data may get:

in

lost or damaged during a system crash - especially one affecting the hard disk
corrupted as a result of faulty disks, disk drives, or power failures
lost by accidentally deleting or overwriting files
lost or become corrupted by computer viruses
hacked into by unauthorized users and deleted or altered
destroyed by natural disasters, acts of terrorism, or war
deleted or altered by employees wishing to make money or take revenge on their
employer

Data stored on magnetic media such

as disks or tapes can easily be damaged
by poor storage, dirt, heat or magnetic
fields generated by televisions or
loudspeakers.
Computer equipment can be damaged by
acts of nature such as fire or floods.
People using a computer system can
easily delete the wrong file from a disk or
the wrong record from a database by
selecting the wrong option in a software
package.

us

sa

There are four main threats to the security of data:

ht
a

Accidental Damage

us

M
-M

Data Theft

Important data such as a list of a

companys customers or information
about how products are produced could
be stolen and sold. Often such data is
stolen by employees of the company who
have legitimate access to the data.
Disgruntled employees can also
sometimes destroy or change important
data.

Hacking

Sometimes (but not very often)

computer "hackers" deliberately gain
unauthorised entry to computer systems.
They can delete files or change the data
stored in them. Hacking is an offence
under the Computer Misuse Act 1990.

Computer Viruses

Computer viruses can deliberately delete

or damage data stored on a computer.

Contact the teacher: 03215275281

Security Measures to Reduce the Risks

Sensible companies and organisations take appropriate measures to ensure that the
data they store remains secure. The most appropriate measures to use will depend
on:

How important the data is.

How confidential the data is.
How likely it is that someone will want to steal, change or destroy the data.

If the stored data relates to identifiable individuals then a company must keep data
secure to comply with the Data Protection Act.
Some of the more common measures used to ensure data security are described
below.

us

ht
a

us

sa

in

Physical protection
As you have seen, there are many different ways that you or a business can lose
valuable data. With a little bit of planning and thought however, the risks can be
reduced or even eliminated.
There are many things you can do to make your equipment more secure:
- Lock the room when not in use
- Use swipe cards or keypads to activate locks
- Bolt computers to the desk
- Use special pens to mark your postcode onto the computer case
- Keep windows shut - especially if on the ground floor. Use bars.
- CCTV video cameras
- In large firms, security guards

M
-M

Note: in an exam, you would generally only give one example from the list above and then go on
to discuss the other methods Unless specifically asked to discuss physical security, don't just list
the points from this section.
Safe Storage of Data
Important data should be stored safely. Good quality disks or tapes should be used.
These should be kept in a dust-free environment that is not too hot and is nowhere
near any magnetic fields. Often important data is kept in fireproof, waterproof
safes.
Limiting Physical Access to Computers
Access to a computer system can be limited by keeping the system in a locked
room. Unauthorised people should not be able to access the computers. This would
not however stop an employee who had the authority to access the computer room
from causing deliberate or accidental damage or stealing important data.
A further limitation of this solution is that it is not always possible to limit access to
a computer system physically. Some systems, such as the Automatic Teller
Machines (ATMs) used by banks to dispense money have to be available for the
public to use. Also, many computers are connected to networks and can be
accessed from other computers on the network.

Contact the teacher: 03215275281

Biometrics means to measure and analyse some human characteristic in order to

correctly identify an individual. Examples of physical characteristics which can be
used are:

fingerprints
voice patterns
retinas or irises
facial patterns
palm prints

The use of biometrics is becoming more

common place as the techniques are refined
and become more reliable.

sa

in

Many businesses now use biometrics as a

method of allowing access to buildings and
information held on computer systems.
Governments such as the UK are including biometric identifiers in passports.

us

A reader or scanning device that takes a biometric reading from a person

Software that can convert the scanned information into digital format for the
computer to use. This computer identifies the 'match points' from the digital
information
Once the match points have been identified the data is compared to all of the
records held in the company biometric database. If a matching record is
found the individual can be positively identified.

ht
a

us

To use biometrics an organisation needs:

M
-M

Biometric identification is believed to be more secure than many other methods

because the physical characteristics are unique to every individual and cannot be
easily lost, stolen or copied.
However, biometric systems are far from being foolproof. Most systems have a
significant number of false accept rates and false reject rates. This might be a
reason as to why they are not yet as widely available as a physical method of
security as many other more conventional methods.

Contact the teacher: 03215275281

Software protection
Firewall
A firewall is a program or hardware device that filters the information coming
through the Internet connection into your personal computer or into a company's
network.
It is set up to allow mainly one way access, i.e. you can go out onto the Internet
and access pages, but it checks everything coming back against a set of rules. If
the data coming back is from an unauthorised source, then it is blocked.
You may have heard people saying, 'I can't get on that site at school because it's
been blocked'; that is the firewall in action.
User Name and Password Security Systems

us

ht
a

us

sa

in

If a password system is in use then before you can access a computer system you
must enter a valid user name and password. The process of entering this
information and being granted (or refused) access to a computer is known
as logging on.
Passwords can be guessed or "cracked" and so the success of these systems
depends upon users choosing passwords wisely and keeping them secret. Following
a simple set of guidelines like these will help make a passworded system more
secure:
Change your password regularly.
Make your password at least eight characters long.
Do not write down your password or tell it to anyone else.
Do not use proper words of phrases - these can be found using a dictionary
cracker.
Use a mixture of upper and lower case letters and numbers.

M
-M

Attempting to guess a password to gain unauthorised entrance to a computer

system is an offence under the Computer Misuse Act 1990.
As with limiting physical access to a computer system, the use of a password
system will not prevent authorised users such as employees from damaging or
stealing data.
Often the user name that you log on to a computer system with will determine
which files you can access. A user should only be given access to files that he or
she needs to use. Limiting the files that a user can access will limit the amount of
damage that he or she might do either deliberately or accidentally.
Proxy servers
A proxy server is a dedicated computer or a software system running on a
computer that acts as an intermediary between an endpoint device, such as a
computer, and another server from which a user or client is requesting a service.
The proxy server may exist in the same machine as a firewall server or it may be
on a separate server, which forwards requests through the firewall.

Contact the teacher: 03215275281

Logs/audit log files

One effective way of deterring authorised users from damaging or stealing data
from a computer system is to get the system to keep logs of all of the actions that
each user carries out. A log must be used together with a user name and password
system.
All of the actions that a user carries out are stored together with their user name in
a log. If data is deleted, copied or changed the computer system manager can
identify the person responsible by examining the logs. Here is part of a log:
System Log 1/1/1997
User

Time

Action

Zain

12:00 1/1/1997 log on

ali

12:02 1/1/1997 delete file "january accounts"

in

umais 12:05 1/1/1997 copy file "employee addresses"

ahmed 12:10 1/1/1997 check email

us

sa

If users know that their actions are being monitored then they are less likely to
deliberately damage or steal data. Logs can also be used to help trace any
accidental damage to data.A log cannot stop a person from damaging or stealing
data but it can help identify the culprits. Most hackers will try to turn off any log
keeping software when they break into a computer.

us

ht
a

Encryption
Encryption is the process of putting a file or document into a coded form. If a file
has been encrypted then unless you know what the code used to encrypt the file is
you will not be able to use its contents. Even if someone manages to steal an
important file, if it has been encrypted, he is unlikely to be able to make use of it.

M
-M

Backups
Whatever measures are implemented to try and avoid data being deleted or
changed, it is impossible to guarantee that this will not happen. Therefore it is vital
that extra copies are made of important data. For important data a regular backup
procedure should be implemented.
Backups should be kept away from the computer room so that they will not be
damaged by fires / floods etc. There is no point in keeping a backup if it is likely to
get damaged when the original data gets damaged.
The type of backups that are kept usually depend on the type of processing being
carried out:

Batch Processing systems use the Grandfather-Father-Son or Ancestral

backup system.
With Transaction Processing systems a regular backup of the master file is
made. As transactions are carried out details of each transaction are stored
in a transaction log file. If the master file becomes corrupted the latest
backup master file and the transaction log file can be used to recreate it.
In Real-Time systems there is often little point in keeping backups of data.
However much backup hardware is used to reduce the likelihood of the
system failing. Sometimes backing up data to disk can be useful in real-time
systems. Although this data could not be used to put the system back into its
proper state, it could be used to analyse why a system failed. e.g. an
aeroplane "black box".
Contact the teacher: 03215275281

Virus Checking
Viruses can get onto a computer from infected floppy disks, over a network or over
the Internet. Virus checking software can be installed on a computer to examine all
the files that are accessed, checking them for viruses. If a virus is found the virus
checker will attempt to remove it. The virus checker may not however be able to
recover any data that has already been damaged by the virus.
Disaster Recovery Plans
No matter how secure you attempt to make computer systems and data things will
always go wrong. Any sensible computer department will have a disaster recovery
plan. This will detail the procedures that should be followed to minimise any further
damage once a disaster has occurred. It will also include the procedure which will
be used to attempt to repair or restore as much of the system as is possible.

us

sa

in

SSL
SSL stands for 'Secure Socket Layer'. It is a web browser security technology.
SSL is built into a web browser. SSL allows confidential data to safely pass from
your web browser to a distant server via the Internet. The confidential data is
'encrypted' or scrambled so that only the server can read it.

us

Keeping data secure

ht
a

For example, e-commerce shops use SSL to keep your credit card details secret.
You can tell when SSL is being used as a small padlock appears on the bottom right
of the browser window. If you click on the padlock, a 'certificate' window appears
that confirms you are connected to the real server and not a fake one.

M
-M

Measures that can be taken to keep data secure include:

making regular backups of files (backup copies should be stored in fireproof safes
or in another building)
protecting yourself against viruses by running anti-virus software
using a system of passwords so that access to data is restricted
safe storage of important files stored on removable disks, eg locked away in a
fireproof and waterproof safe
allowing only authorised staff into certain computer areas, eg by controlling entry to
these areas by means of ID cards or magnetic swipe cards
always logging off or turning terminals off and if possible locking them
avoiding accidental deletion of files by write-protecting disks
using data encryption techniques to code data so that it makes no apparent sense
Online banking
When you bank online, after youve logged in, you will notice that the http in the
address bar has changed to https. This indicates that a secure connection between your
computer and the bank's computer has been established. Data sent between the two
computers is encrypted so that anyone trying to intercept your data will receive
meaningless data. The data can only be decrypted into readable data by using a key
that is known only to the two computers - yours and the bank's.

Contact the teacher: 03215275281

Question
In a local doctor's surgery, data about the patients is stored in a database on
a computer.
Consider two physical precautions that should be taken to keep the data
secure.

Answer
1. keep the computer area secure
2. keep backups in a safe place
Examiner's comment
The key word is physical - the question is asking for the physical precautions you can take to protect
data. Keeping the computer area secure and keeping backups in a safe place are both physical

in

precautions. Swipe card entry, locking terminals or controlling access to computer areas would also have

sa

been good answers.

us

Question

The doctor needs to see all the information about patients. The receptionist
only needs to see some of the information.

ht
a

Describe one way in which software could restrict access to patient

information.

us

Answer

M
-M

Make it so users must enter a password to gain access to certain areas of

the database.
Examiner's comment

The question is looking for detail about different types of access for different users. This answer clearly
highlights the need for having passwords for different levels of access.

Contact the teacher: 03215275281