AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft Explain the consequences of malpractice and crime on information systems.

. Chapter 10 Describe the possible weak points within information technology systems. Chapter 11 -

online systems, storage medium, theft or duplication, compromising electronic emanations (tempest), viruses Describe the measures that can be taken to protect information technology systems against internal and external threats. - Clerical procedures, passwords, levels of access, writeprotect, back-up, restoration and recovery. Describe the access levels required for on-line files Describe the particular issues surrounding access to, and use of the Internet; e.g. censorship, security, ethics. THE CONSEQUENCES OF MALPRACTICE AND CRIME ON INFORMATION SYSTEMS http://www.met.police.uk/computercrime/ http://news.bbc.co.uk/1/hi/business/2264508.stm http://www.trusecure.com/ Theft or corruption of data etc. can prove fatal to businesses and to life itself e.g. 80% of companies go bust within 18 months of disaster. Sinking of HMS Sheffield in Falklands war - inability of anti-missile radar to function when a telephone call was being made to London on the same frequency. Air crashes resulting from errors in flight data stored in airborne computer. Case Study Heathcote P.50 NHSNet is the system used by the NHS to store patients' records. Staff can access the system with a swipe card and there is a firewall between the computer system and the Internet. The NHS says that the system will only be accessed by authorised people who have a clear need to use it and that all operations on the system will be monitored. Others suggest that the sheer number of people who will be using the system will mean that the swipe card system is not a sufficient level of security. Heathcote lists groups of people who might want to steal data from the NHS: Insurance companies Anti abortionists Blackmailers Stalkers Lawyers (the ambulance chasing variety) Companies marketing drugs Funeral parlours POSSIBLE WEAK POINTS WITHIN AN ICT SYSTEM. 1. Dishonest employees who use the computer system to commit crime e.g. fraud Bogus data entry e.g. changing or inventing data so improper data is produced

http://www.nchadderton.zen.co.uk/front.htm Page 1 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

Using knowledge of banks computer system to embezzle money from inactive customer accounts. Bogus output Program patching Alteration of files Suspense accounts Ghost accounts 2. Stealing from the computer http://www.wired.com/wired/archive/4.02/catching.html Physical theft - a disk or software, or copying ideas (theft of intellectual rights) Theft of computer time- e.g. running own business on company computers, stealing electricity Software piracy Hacking. Industrial Espionage http://news.com.com/2009-1001-954728.html 3 Attacking the computer A virus e.g. Morris Worm ( a program that replicates itself and spreads from computer to computer An e-mail bomb

4. Hardware failure e.g. a hard disk failure could render the data inaccessible Disc Crashes

5. Malpractice Faulty procedures (e.g. poorly trained employees who don't know how to use the system properly) Backup procedures not being followed (e.g. by an employee using a laptop outside the office)

6. Acts of God i.e.. Natural disasters e.g. fire, flood, earthquake 7. IP Spoofing A technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted

http://www.nchadderton.zen.co.uk/front.htm Page 2 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host. 8. e-mail spoofing Forging an e-mail header to make it appear as if it came from somewhere or someone other than the actual source. 9. Phreaking Closely related to hacking, using a computer or other device to trick a phone system. Typically, phreaking is used to make free calls or to have calls charged to a different account.

http://www.nchadderton.zen.co.uk/front.htm Page 3 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

MEASURES TO PROTECT ICT SYSTEMS FROM INTERNAL AND EXTERNAL THREATS. See the diagram in Heathcote p.249 Improve network security Maintenance contracts Uninterruptible Power Supply (UPS) Using tape-streamers Training Staff Employing security staff Using disk mirroring Staff training p.52 http://www.fast.org.uk/ So that staff know how to use the system and do not, therefore, do accidental damage To be aware of legislation see Data Protection Act, Computer Misuse Act, Health and Safety, Copyright. Be aware of safe procedures see BS7799 Be aware of the company Code of Conduct. BS7799 BS 7799 (ISO17799) is comprehensive in its coverage of security issues, containing a significant number of control requirements. Compliance with it is consequently a far from trivial task, even for the most security conscious of organizations. http://www.thewindow.to/bs7799/ Set up an Audit Trail P51 http://www.guardian.co.uk/online/story/0,3605,390973,00.html A record showing who has accessed a computer system and what operations he or she has performed during a given period of time. Audit trails are useful both for maintaining security and for recovering lost transactions. Most accounting systems and database management systems include an audit trail component. In addition, there are separate audit trail software products that enable network administrators to monitor use of network resources. Timestamping of files to aid the audit trail. Backup Procedures p.52

Maintain the generational system of backups (Grandfather-Father-Son) p.247. Online Backup is a system by which all data is stored onto three separate disks (if one disk
fails, the transaction is still processed).

Periodic Backup means backing up at specified intervals (e.g. every day). For extra

security, the backup tape is often moved to a secure location e.g. a fireproof safe or a completely different building. In the case of a laptop, it could be given a "boot lock" and sensitive data on the computer could be encrypted.

http://www.nchadderton.zen.co.uk/front.htm Page 4 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

Physical Protection p.51 ID badges for employees an entry control system to the IT department keycards Voiceprints Retina scans Checks on prospective employees to combat techno-terrorism Never use original program disc Asset register Caution CCTV Smartcards Password Protection There should be frequent updates of passwords, read p.252 about handshaking and the use of one-time passwords. A Hierarchy of passwords is often used (see below) Callback Software Terminal Identification measures include lockouts - e.g. three tries at a password and the use of Callback software via modem. Encryption p.51 http://computer.howstuffworks.com/encryption.htm http://www.learnthenet.com/english/animate/encrypt.html The translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it Examples of information that would be encrypted are: Credit-card information Social Security numbers Private correspondence Personal details Sensitive company information Bank-account information Virus Protection p.52 Virus protection software and routines (p.253) What is a virus? How might it be introduced? What measures should be taken to minimise the risks?

http://www.nchadderton.zen.co.uk/front.htm Page 5 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

RAID, Redundant servers Access Rights and Access Levels Access rights may typically be set to Read-Only, Read/Write, or No Access. This ensures that users within a company can only change data they are authorised to do so. On the school network, different access levels exist: 1. 2. ICT Technician s (full accessrights) Teachers (have access to shared folders and their student work) 3. Students 4. Basic Group Why is it important to control access in this way? On a hospital network, the access levels might be: 1. No Access (receptionists will not be allowed any access to patients records) 2. Read Only (junior nursing staff would be allowed to read records but not to change them) 3. Read and Copy (a doctor from another hospital might be allowed to take a copy of a patient record) 4. Read and Update (only the patients own doctor would be allowed to update a record) Problems still exist. For example, people can leave terminals logged on (terminals could be set to shut down after a specified period e.g. 10 minutes). Technical support staff could have access to sensitive data when they are repairing computers). Firewall http://computer.howstuffworks.com/firewall.htm A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. Contingency Plans/Disaster Recovery Plans Insurance Secure Power Supplies Verification/Validation Checks Internet monitoring http://safety.ngfl.gov.uk/schools/?INDEX=ALL

Some companies and schools use the Internet through a "firewall" that controls what is accessible on the Internet e.g. a school may have a filtering system so that students cannot access undesirable material. Businesses also have the incentive to stop employees wasting work time by surfing the Internet for their own amusement. Managers are also worried that employees might be downloading pornography or using the company Email system improperly. There is also a fear of litigation,

http://www.nchadderton.zen.co.uk/front.htm Page 6 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

especially in the United States where some women have sued for "sexual harrassment" because they have been sent offensive files or messages. Case Study - in 1999 the New York Times fired 23 office staff who had been Emailing smutty jokes to each other.

http://www.nchadderton.zen.co.uk/front.htm Page 7 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

EXAMINATION QUESTIONS 1996 (6 marks) The illegal use of computer systems is sometimes known as computer-related crime. Give three distinct examples of computer related crime Give three steps that can be taken to help prevent computer-related crime ANSWERS a any from: hacking to gain access to, or modify data deliberate introduction of viruses to destroy data techno-terroism theft of data or any examples in context modification of data/code to perpetuate fraud b any from physical security of systems and rooms do not leave terminals active and unattended document security hardware security and identification devices levels of passwords-do not reveal passwords audit procedures encryption dismissed staff leave premises immediately or any examples in context 1991 (16 marks) There are three ways in which the security of data within a large company database may be compromised. The data could be read, altered or destroyed by persons not authorised to do so. Give five examples of how unauthorised access to data might occur and how you could prevent them. (10) Give three examples of how data might be altered or destroyed and the way each example could be prevented or controlled. (6)

http://www.nchadderton.zen.co.uk/front.htm Page 8 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

ANSWERS a Any five from Unauthorised use of the system.

Access to registered users to areas for which they have no access rights.

Data could be read directly from the screen if the screen is facing the window Data could be read from the screen by a radio device outside the building tuned to receive emissions from the screen. The ID and password of an authorised user can be stolen. Discs could be stolen and read elsewhere. Data might be left on the screen and read by a passer by. Unauthorised access to rooms where terminals are sited Data could be read via access from a remote, unauthorised terminal. b Any three from to control altering data. where read access to the data has to be allowed, if volatile data is corrupted or destroyed by a power failure, control access to room where large scale magnetic storage is used to avoid sabotage by a large magnet. in case of fire destroying equipment or data,

Make everyone register and be given Personal Identity Number before they can log-on to the system. User would also have a private password. Make access to other areas impossible by forcing them to use a menu driven system tailored to their legitimate needs. In a time sharing situation, make access to other users directories by a further password Re-site the screen. Fit the terminal or the room with a screen which absorbs those emissions. Do not write it down or lend your password Lock them up. Re-site the terminal to make users log-off before doing something else. Computer could automatically log them off after a few minutes of inactivity could be controlled by smart cards or keys Terminal hardware must identify itself.

Have a menu system which does not give update facilities to everyone have an extra password necessary to allow alterations. make sure recent back-up or roll-back facility

make sure backup equipment or data is stored elsewhere.

http://www.nchadderton.zen.co.uk/front.htm Page 9 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

1995 (10 marks) An estate agent uses a PC based network system to assist in the operation of its business. The main uses of the system are word-processing and the maintenance of customer and property details. Although the majority of files are stored on the network server the manager of the agency holds certain confidential files on her own station only. You are asked to devise an efficient backup strategy for the system. a What hardware is required to enable the whole system to be backed up? (2) b Give three features of the backup software that will be required to enable an efficient strategy to be devised (3) c Suggest an appropriate backup strategy (3) d What physical precautions should be taken with the backup media to ensure that recovery can take place? (2) ANSWERS (a ) a tape streamer (1) and a local disc for the station (1) accept CD-ROM drive with the ability to master or CE-WORM portable external hard disc (b) mirror image backup all files backup only changed files procedure customisation backup selected file types/save set automated backup at specified time recovery of all files recovery of selected files (1) to different paths (1) backup stand-alone whenever there are work concurrently with System Audit Log changes verification concept (c) WHAT to backup (1) any further explanation (1) backup all files once/twice per week write protect confidential files on separate station require backup (d) secure (e.g. lock away) and fireproof storage or any natural disaster off-site storage physical write protect use a sequence of tapes to avoid overwrite WHEN to backup (1) backup only changed files daily verify/write ( IF verify is in a or b need different)

1995 (20 marks) Criminal activity and malpractice in connection with the use of Information Technology Systems is one of the fastest growing areas of crime, but many organisations are loath to admit there is a problem. Excluding the area of viruses discuss this statement. Include in your discussion: at least three specific examples of areas of criminal activity specific examples of the types of people who may get involved possible reasons why organisations are loath to admit there is a problem at least three specific examples of countermeasures which can be taken to minimise the threats.

http://www.nchadderton.zen.co.uk/front.htm Page 10 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

MARK ALLOCATION 6 points on areas of criminal activity, 4 for types of people involved, 4 for why organisations loath to admit there is a problem, 6 for countermeasures, 4 for presentation/coherence Paragraph 1: Introduction. What have you been asked to do? Paragraph 2: A discussion of at least three Areas of criminal activity Hacking (1) Explanation/definition (1) Computer fraud (1) Explanation/definition (1) Industrial espionage (1) Often a multi-national company has a larger intelligence gathering service than a small company e.g. Gdp of austria is lower than general motors. Many companies gather information on competitors by legitimate means e.g. Conferences, newspapers, market prices, stock movements, advertising agencies. Some agencies exist which will perform specific tasks e.g. Traffic tracking of a company use of a wan. Virgin v british airways database case is another example (1) Deliberate malpractice by an employee (1) Explanation/definition (1) Terrorism (1) Explanation/definition (1) Organised crime (1) Explanation/definition (1) Pornography (1) Explanation/definition (1) Software theft (1) Explanation/definition (1) Data theft (1) Explanation/definition (1) Tempest (electronic emanations: radiation Explanation/definition (1) security) add Faraday cages (1) Non-registration of DP act (1) Plus explanation of the illegal activity (1) Paragraph 3: A discussion of the types of people involved but no marks are given for duplicates Disenchanted employees: either as insider help to assist external attackers or self-interest or redundant staff Military intelligence services: exchanging of information between allies can be tapped Industrial intelligence services: competitors intercepting information on sales, forecasts, current deals Vandals: hacking into systems to cause deliberate data corruption Users: following non-standard working practices e.g. Using system time for football pools projections or distributing pornography Terrorist organisations - political extremists taking action against computer installations e.g. Physical destruction of railway signalling centre Media/newspapers: similar to industrial intelligence Professional criminals: organised fraud involving significant groups of people e.g. Visa credit card fraud Small organisations: failure to register under DP Act as they think they will not get caught Paragraph 4: A discussion of why Organisations are loath to admit there is a problem Inability to take effective action to stop the problem Loss of credibility (with the public and with other organisations) which subsequently affects business May lead to copy cat activities Potential for staff morale or industrial relations problems if it is internal Paragraph 5: A discussion of at least three Specific countermeasures
http://www.nchadderton.zen.co.uk/front.htm Page 11 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

physical security choice of location, entry to site, entry to specific areas, checking of baggage and supplies, protection of services e.g. electricity, air conditioning, heat handling, recording use, accounting for, purging of all documents used in the system e.g. data collection, reports need to know, two person authorisation levels to task, rotation of duties, authorisation of sensitive tasks, recruitment screening, disciplinary procedures, termination procedures protect hardware from tampering, hardware identification devices, maintenance procedures, fault tolerance, tendering for supply and maintenance protection by the OS, passwords, separation of software and devices, audit control of design and development, control of installation and upgrades VDU away from windows, clear screens when not in use, avoid metal areas, avoid phone areas encryption, passwords or staff ID badges, dial-back systems discussion of offences, penalties and possible loopholes discuss registration need, deterrent effect, penalties. NOT detailed analysis

document security: personnel security

hardware security

software security:

Tempest: Comms and network security Computer Misuse Act DP Act is relevant in a general sense: Paragraph 6: Conclusion

1994 (15 marks) A local group of electrical retailers uses a computerised system to assist in the administration of its business. The manager of the group becomes concerned about software copyright and the potential dangers of viruses but does not fully understand the issues involved. A. Describe three different types of software licensing agreement which are currently offered by software producers. (6) B. Explain what is meant by a virus (3) C. Describe two different methods of protecting the organisation against viruses. (6) a Treat as book One copy in use at a time being passed to another user Multi-user Usually one/half the number of master discs with agreement to copy onto a specified number of machines for multiple use at any one time Network license Normally software resides on host with a specified number of stations on that single network being given access at any one time Site license License extends to cover all machines within that institution b A software routine which once introduced into a system replicates itself whenever the program to which it is attached is run on some flag e,g, time, date or when copied

http://www.nchadderton.zen.co.uk/front.htm Page 12 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

Physical limitations e.g. Branded discs, limit access to drives, reduce links to external networks, flag discs/files to read-only, clean backup and recovery disc, do not borrow software, restrict links to communication systems Toolkits - check discs before use on a sheep-dip station using a toolkit utility and remove it Guards: install a guard utility on all stand-alone machines which automatically tests any disc and remove it Virus programs need regular updates - name and description

1996 A multi-national organisation maintains an information technology system which holds a large amount of vital and sensitive data. Describe THREE steps which should be taken to protect the data against deliberate theft or corruption. (6) Describe THREE steps which should be taken to protect the data against accidental loss. (6) 1997 A common way of permitting different levels of access to on-line files is the use of passwords. Once a password has been input the user may be allowed to perform a number of different actions upon the data within the files, dependent on the level of access given by that password. Describe FOUR of these possible actions. (4 marks) 1994 (20 marks) Society, organisations and individuals are now so dependent on IT systems that the consequences if these systems were to fail would be catastrophic. Discuss the major threats to, or possible causes of failure, of an IT system and explain what steps can be taken to minimise them or their consequences. MARK ALLOCATION 5 points on threats/causes of failure, 5 for minimise risk in context of threat, 5 minimise consequences of failure, 5 for presentation and argument Paragraph 1: Introduction - What have you been asked to do? How will you answer? Paragraph 2: A discussion of at least four of the Threats or causes of failure Physical Fire, flood, power failure, rats eating cables, coffee Hardware failure Processor failure, disc crash Telecommunications failure Cable faults, data corruption, gateway down Data control failure Data inaccurate e.g. Rounding, incorrect codes Software failure Bugs, unsuited to task Invalid data User errors, undiscovered corruption e.g. Upgrade, processing cycle fault Computer crime/abuse Hacking, viruses System design failure Failure to build into the design the appropriate measures e.g. London ambulance service or european airbus Paragraph 3: A discussion of what Steps can be made to minimise the effects of failure Physical Regular maintenance, uninterrupted power supplies, duplicate systems, keyboard protectors, human restrictions (explain) Hardware Restricted access/usage, backup systems, duplicate systems, reputable suppliers Telecomms Regular maintenance, installation of

http://www.nchadderton.zen.co.uk/front.htm Page 13 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

appropriate spec. Cable, avoidance of interference causes Data control systems e.g. batch & control totals, data validation methods, restriction of users, routine backups Log of usage, error logs, reputable suppliers, authorised upgrades Validation, verification, log of processing cycle, authorisation, routine backups Password or encryption, virus checking Validation of design, acceptance testing, duplicate design teams

Data Control Software Invalid Data Computer Crime/Abuse System Design Failure Redundant/Departing Staff Lead Off Premises Or Disciplinary Measures As AntiVirus/Password Offence

Paragraph 4: A discussion of the Steps to minimise consequences i.e. how to recover if it does fail. THIS IS OFTEN MISSED OUT BY WEAK STUDENTS!!! Physical Duplicate systems, standby systems Hardware failure As above plus backup files and roll-back Comms failure Alternative gateway links, alternative node points Software failure Maintain sequential backups, hot line system support contracts, PC Anywhere links with support supplier Invalid data Journal logs and incremental backup procedures with roll-back Computer crime/abuse As above + toolkits giving disc recovery System design failure Failsafe systems, manual override (if feasible), duplicate command systems e.g. 5 voting cpus Paragraph 5: Conclusion June 2001.11. Explain, with reasons, two levels of access that could be given to different categories of users of an on-line stock control system. 4 marks Examples Stock managerread/write access (1)- ability to add delete and amend records of stock e.g. add a new product, delete a product out of stock, change prices (1). Sales staff read/write access (1) need to be able to see details about stock and to change data as sales are made (1) Store manager read/view only access (1) - needs to be able to view(read) data but not change it(1) Any 2 2 marks 2nd mark dependant on first. This question is about the types of access that can be given not how it is controlled and so nothing on passwords, etc gains credit. Allow Full Access rights: 1 mark terms plus 1 for explanation Read Read/Write Amend Delete Add/Delete/Write/Append

http://www.nchadderton.zen.co.uk/front.htm Page 14 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

January 2002.5. Information Systems need to be protected from both internal and external threats. (a) Explain, using examples, the differences between an internal and an external threat to an Information System. 4 marks (b) For each of the following, describe a measure that a company can take to protect his or her Information System from: (i) Internal threats; 2 marks (ii) External threats. 2 marks a) 2 2 marks Internal threats are from within the company or organisation / caused by own staff(1) example (1). Can accept theft of components as an example. External threats come from outside the company or organisation/ caused by people from outside the organisation (1) example (1). Accept Natural Disasters Power failure. NB Examples may only be used once e.g. hacking is either internal or external but not both. b) (i) Internal: 1 mark for measure and 1 mark for explanation of how measure prevents threat Examples Procedures for using disks/virus checking/ (1) prevents employees introducing virus onto network (1) Auto save/ confirmation of delete/ other software functions (1) designed to prevent loss/corruption of data from careless mistakes (1) Passwords & Ids/Access levels (1) to prevent unauthorised modification.(1) Guidelines on working practice (1) to prevent health and safety issues with employees/ loss of staff from illness etc Good pay/benefits (1) prevent loss of experienced/vital staff (1) Code of conduct (1) to prevent(1) Training of staff (1) to prevent misuse/accidental mistakes (1) Security cameras/CCTV etc must explain how it prevents (2 or 0) (ii) External: 1 mark for measure and 1 mark for explanation of how measure prevents threat. Examples Audit trails/Backups MUST explain how they protect (so either 2 or 0) Firewalls (1) prevent access to/corruption of data from external sources (1) Encryption (1) used to prevent misuse of data if intercepted during transfer (1) Physical measures locks/guards/ CCTV (1) prevent unauthorised access by non employees (1) UPS (1)-prevent loss of data when power lost (1).

http://www.nchadderton.zen.co.uk/front.htm Page 15 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

June 1999 3 Different levels of access can be provided for on-line files which permit users to perform a number of different actions upon records within the files. Give four of these possible actions. (4) Marks must only be awarded where the action is on a record within the file, therefore delete file, rename file, copy file etc will not be given any credit. Answers should include any four of the following: Add a record Append a record Delete a record Read Read only Write Read/write View a record Read/Write View part of a record Edit a record The answers could be of the read/write type or of the add a record type both are valid as they are actions on a record. If the word record/data is not present, still give mark Amend record CANNOT ALLOW EXECUTE NONE Not acceptable Allow PRINT a record 4.Many companies now have a code of practice for employees working with information technology a) Explain what is meant by a code of practice. 3 marks A set of rules/policy/guidelines/Procedures/Standards (1) belongs to an organisation/employer/company (1) governs the behaviour and action of members/employees(1) b) Explain three benefits to a company of having a code of practice 3 x 2 = 6 marks Need to cover eventualities such as preventing the : Misuse of equipment (1), stopping company from having large maintenance bills or replacement costs(1) Misuse of software (1), preventing company being liable under copyright laws(1) Misuse of Internet facilities (1), preventing company from having wasted resources staff time and phone costs(1) Misuse of email facilities (1), lack of work being done and therefore low productivity (1) Misuse of data (1), leaving company open to prosecution under Data Protection Act (1) Gives company option of dismissal (1) if Code of Practice not followed (1) Better trained/informed work force/higher level of employee skills (1) Due to interchange of ideas/skills (1) Importance is that it is misuse rather than illegal operations, which are covered MUST BE RELEVANT TO IT AND NOT GENERALISED SOCIAL/ETHICAL/MORAL NB A CODE OF PRACTICE IS DIFFERENT TO A CODE OF CONDUCT

http://www.nchadderton.zen.co.uk/front.htm Page 16 of 17

AS Module 1 (I CT1): TOPIC 8 Malpractice & Data Theft

2000.5.Describe, with reasons, three measures, other than passwords, that may be taken to maintain the integrity of data against malicious or accidental damage. DO NOT ACCEPT PASSWORDS or LEVELS OF ACCESS Use of copies of sensitive data for day-to-day use master copies only updated at end of day/week (1) plus (1) for reason Use of virus baths/virus software/firewalls to prevent deliberate damage to data (1) plus (1) for reason Clear set of internal procedures for staff to follow when using data to prevent use of own software/data from dubious sources etc (1) plus (1) for reason Audit trails (1) to record use of data by whom when etc (1) Good selection and vetting procedures for new staff (1) to prevent any person with a grudge or ulterior motives being employed(1) Physical/Automatic log off of terminals (1) to prevent unauthorised access (1) Keyboard locks (1) as above (1) Physical restrictions on access to equipment (1) reason to restrict access (1) Regular backups (1) to ensure data kept as up to date as possible in the event of accidental damage (1) Not staying on line longer than necessary(1) to reduce chances of hacking(1) Write protection of disks/files(1) to prevent overwriting/damage to data(1) Encryption/Encoding (1) Restriction on use of floppy disks (1) Callback system for log-on (1) Authenticity of software (1) Screensavers (1) Software measures to protect data Better training Plus other realistic examples (allow only one locking mechanism) Any 3 x 2 marks one for describing one for reason Measure (1) plus Explanation (1) 6 MARKS June 2003.7 (8 marks) The use of laptop computers by company employees has increased the threats to ICT systems. Describe four threats to ICT systems caused by employees using laptops.

http://www.nchadderton.zen.co.uk/front.htm Page 17 of 17