5.6 Security and Legal Issues within a management information system

5.6 Security and Legal Issues within a management information system

By the end of this section you should be able to describe:
- The threats to a company’s information systems
- The need for a security policy and what It contains
- The measures in place to avoid or minimise the impact of disasters
- The laws that relate to ICT and their implications on companies and society.


5.6.2 Threats to an organisation
There are several types of threats to an organisations data, including the following:
- Events completely out of an organisation’s control, such as natural disaster, fire, war or terrorism
- Events which happen, but the frequency of their occurrence can be controlled, such as operator error, faulty software or hardware failure
- Threat’s from the internet, such as hackers, viruses and ‘Trojan’ horses.
- Insecure communication channels e.g. intercepted phone calls, e-mails or letters (from within a company’s own post room) or employees removing secure data.
- Unauthorised access to premises including break-ins or imposters e.g. thieves posing as workmen and stealing property or data.
- Ex-employees who access company systems from the outside world to cause damage.

The impact of these threats can be minimised if managed properly. That’s why businesses should consider a proper security policy.

5.6.3 Security Policies
A security policy is a set of documents outlining a company’s assessment of threats and proposed ways of dealing with them.

It is normally the final responsibility of a director of the firm to ensure this policy is implemented. A security policy is the most critical element of an ICT security programme as it defines how all other aspects of security will operate.


A good security policy should do the following:
- Assess Risks
This includes noting who has access to different types of data and the consequence of losing access to it, as well as the consequences of software failure and theft, either by physical or electronic means.

- Implement ‘layers’ of security
Many obstacles should be placed in the way of any person with malicious intent. These include physical security, access controls, secure communications, audit trials and usage monitoring, anti-virus software and personnel security.

- Educate Users
Many security problems result from human error and can be avoided by encouraging employees to act responsibly.
Layers of Security

Physical Security
Unwanted visitors can be prevented or deterred by methods such as:
- bars on windows, especially at ground level.
- armed guards
- electrified fences
- walls topped with barbed wire
- Visible security cameras

Access Controls
It Is normal to have a system of user identities and passwords to restrict access. Some firms go further:
- A swipe card reader at each terminal, which recognises the door pass only of people authorised to use that machine.
- Disabling an employee’s user account when that person is not supposed to be at work and forcing employees to log off during breaks.
- Preventing employees from accessing more that one terminal at a time.
- Password protected screensavers which activate if an employee forgets to log off or is temporarily away from their desk.
- Disabling accounts that have incorrect passwords entered on multiple attempts.
- Disabling accounts of former employees
- Biometric measures, such as fingerprint or iris recognition.

Passwords
Passwords should be:
- regularly changed. Many companies force employees to change passwords at set intervals and block network access to anyone ignoring this or trying to use an old password.
- Contain numbers as well as letters.
- Be held in an encoded file which can be decoded only by network software.

Access Rights determine the way in which users may access particular files or records.
Within a database, users may have the ability to view particular data (i.e. read access), modify it (edit access), create new files (write access) or, in the case of programs, run them (execute access).

Secure Communications
It is vital that communications are secure. For example companies may insist that all internet communication is encrypted which can prevent the actions of certain virus or Trojan horse programs. Without blocks on unauthorised programs, such programs could be used to send private data out of a company without the user realising whats happening.
Also the use of a firewall can prevent access by hackers. A firewall makes a network or pc appear invisible to the outside world. A firewall can also block unauthorised programs sending or receiving data.

Audit Trials and Monitoring Usage
It is good practice for transactions to be monitored at all stage of processing. This benefits both company and customer. If anyone changes a record, a record is kept of who made the change and what they did.
An audit trial is generated by a system for the benefit of accountants. It allows them to follow all stage of all transactions easily. Public companies have to be able to give account of all money and business in order to prevent fraud. All business documents, including e-mail, must be recorded for six years as part of this. Log files are generated each time a user logs on, accesses a record or changes a file. With the correct software, It is possible to monitor everything an employee does. While this is useful in accounting and certainly reduces wasted time, it may create fears of management ‘snooping’. Employees guilty of wrongdoing have little defence.

Anti-Virus Software
All PCs should have effective anti-virus software installed and regularly updated. All modern viruses spread rapidly, an out-of-date virus checker is of little more use than one that is not installed at all. Many viruses spread as infected files attached as e-mails that trick users into opening them. Many viruses are targeted as security vulnerabilities in some software, for example Microsoft Outlook and some versions of Microsoft Windows. For this reason, security updates to software must be installed if they are available.

Personnel Security
Firms must be careful about who they employ, both to ensure they do not have an interest in rival firms, and to ensure that they are not potential hackers.




5.6.5 What determines a good ICT security policy?
A good ICT security policy:
- Has realistic aims, in relation to the purpose of the organisation.
- Identifies areas of responsibility for users, administrators and management. Everybody should be able to do their part without worrying about other people doing theirs.
- Provides clear and complete guidance to those involved in security incidents, which prevents foolish decisions being made as a result of people panicking.
- Defines how incidents will be handled. In addition to guidance given to people involved at the time, there should be a clear set of steps relating to further investigation, software modification, informing other people in the organisation and even the media.
- Is flexible and can be updated according to changes in technology or the organisations ‘mission’. As a result of technology changes, a security policy that was excellent 10 years ago may be inadequate today. For example, e-mail borne viruses were unheard of ten years ago as were hackers taking advantage of internet chat facilities. Any organisations that adopts new technologies or ways of working must evaluate new risks.
- Is the responsibility of a senior member of the organisation because of the importance of security, though they may delegate certain roles.


One of the main factors in security breaches can be staff. A security policy should identify the roles and responsibilities of users and make provision for their education.
In this section, the policy should contain the following
- Procedures for obtaining network access and deciding what data users may and may not access. Users should have access only to programs that they need. In some firms users might not have ‘full’ access to data until they have earned trust, working under direct supervision for a time.
- A statement of what is and is not acceptable for personal use of computer systems. Usage of the internet may be monitored to prevent illegal or immoral material being accessed from company machines
- Procedures concerning passwords, including how often passwords are changed and procedures for dealing with those who are not responsible for passwords.
- Procedures for using removable storage devices since these can introduce viruses or can be used to remove secure data.
- An identification of acceptable standards in the use of e-mail. For some firms e-mail is informal and can therefore cause problems.
- Restrictions on installing applications and hardware because unauthorised installations may pose a risk to data o conflict with existing hardware.
- Procedures for remote access. If a user is granted remote access there will be tight controls, such as allowing only a company laptop to be used or installing approved security software on the employee’s own PC. Callback procedures should also be in place.
- Security Awareness Testing to make users aware of the ‘hows’ and ‘whys’ if security.
- Discipline procedures. Every user must be thoroughly briefed on conduct that is not acceptable and should be aware of the consequences of ignoring this. In some companies, employees who ignore the issues listed above are given ‘final warnings’ or even sacked for their first offence.

Backup and Recovery Plans
Even with the best security policy in the world, mistakes will be made. For example, an unknown gap in security can be exposed by a hacker or human error. While it is possible to only focus on ‘big’ threats, smaller problems such as a user deleting a vital file by mistake should not be neglected. Procedures for backing up data in a safe place, and for recovering it when necessary, are vital.

A backup and recover policy written in a self-contained section of a security policy, will ensure that all data can easily be recovered in the event of catastrophe.

A backup and recovery plan should:
- Ensure all files are backed up at specified, frequent, intervals;
- State how long backups are to be held
- State how and where files will be backed up.
- State how files will be restored, for example:
1. In the event of human error, by restoring only selected files
2. In the event of electronic attack, by identifying and restoring affected files;
3. In the event of catastrophe, by relocating personnel and restoring data to servers at the new premises.

5.6.6. The law and ICT
There are three main laws governing the use of ICT.

1. The Data Protection Act 1998
The data protection act governs the use of personal data. It defines the;
- Rights of data subjects (people whose data is stored);
- Responsibilities of data users (people who store and use the data)

Under the Data Protection Act organisations using personal data are required to register with the Information Commissioner and state who they are, what data will be held and what it will be used for. There are a number of exceptions including data held for personal, family or recreational purposes (such as an e-mail address book or a Christmas card list), processing wages, and data relating to nation security or crime prevention. ‘Personal data’ is any data from which a person can be identified and covers both facts and opinions about the individual.

Data users must adhere to eight principles of data protection to ensure that data is
- Fairly and lawfully obtained and processed
- Held only for specific purposes
- Not used in a way that is incompatible with the purpose it was obtained for
- Adequate, relevant and not excessive
- Accurate and up-to-date
- Not kept longer than necessary
- Processed in accordance to the data subject’s rights
- Kept secure

A data subject has the right to:
- Access data held about them (a small administration fee may be charged for this);
- Have errors corrected, and to seek compensation for damages arising from such errors;
- Compensation for the unauthorised disclosure of data.

2. The Copyright Designs and Patents Act 1998
Although it refers to a wide range of areas, in the contextof a computer user, this prohibits people copying software that they do not have permission to copy, as well as using software that other people have illegally copied. This means any business must ensure that the software they use is properly licensed. This law also has effects on the individual. For a PC owner it may mean that some software the are using, or some music they listen to, is being accessed illegally.

3. The Computer Misuse Act 1990
The Computer Misuse Act 1990 classes the following as offence, which may lead to fines and/or imprisonment.
- Accessing data without permission, whether that data is held securely or not.
- Accessing a program on any computer system without proper authorisation.
- Modifiying the data or programs on a computer system without permission.
- Restricting the ability of other people to access computer systems tot which they should have access.
- Using a computer system to facilitate any crime.

The above applies whether a person commits the offence themselves, enables others to commit them, or writes a program (e.g. a virus) that will have the same effects, and regardless of whether any changes made or permanent or temporary.