Data Security and Controls
Data Security and Controls
Chapter Objectives
1. Define the terms data security and privacy
2. Identify security threats on ICT and possible control measures
3. Identify types of computer crimes
4. Discuss laws governing protection of ICT systems
Introduction
- Computers face threats to data security & control measure. These are called computer crimes.
It is possible to put in place measure that can detect & protect any possible computer crimes
against computer systems and associated data. Data & Information must be protected against
unauthorized access, disclosure, modification or damage. This is because; it is a scarce &
valuable resource for any business organization or government. Most countries have laws that
govern the protection of information, communication and technology systems.
- DATA SECURITY - is protection of data or programs against loss of confidentiality, integrity and
availability.
- DATA CONTROL - Refers to all possible measures taken to ensure the security of data.
- DATA PRIVACY - Refers to the right of an individual to have information about them regarded as
confidential. e.g health records, bank account details, online conversations, police investigation.
- CONFIDENTIALITY - Means data is private. It ensures that data is accessed only by authorized
individuals. Such data can never be published or used for monetary gain without the owner's
knowledge. Such individuals include lawyers, doctors and police.
- INTEGRITY – refers to the accuracy, completeness, and consistency of data (ensures that information is
reliable as well as accurate).
1. computer viruses
2. unauthorized access
3. computer errors/accidental erasures
4. theft
5. crashing of HDD
6. Power failure
1. Computer Viruses
- A computer virus is a dreadful/malicious computer program that damages and interferes with
the normal running of the computer. Viruses attach themselves to legitimate programs with the
intention of infecting other programs and hijacking vital resources such as memory and
processors. Viruses can erase, modify or encrypt other files.
TYPES OF VIRUSES
a) Worms - viruses that attach themselves to computer memory. Worms propagates itself
across computers, usually by creating copies of itself in each computer's memory
b) Hoax - Viruses sent as emails by unknown individuals with the intention of trickery or
deception.
d) Boot sector virus - Are viruses that affect the boot information.
e) Trapdoor - A virus that provides secret access to a program or system by bypassing its
security controls.
C) Are self-replicating - they multiply themselves to occupy a large space in memory and/or
storage.
D) Some delete files or program in a computer
Sources of Viruses
1. Contact with contaminated storage devices such as flash drives.
5. The internet - a computer that is connected to the internet is more vulnerable to viruses
through:
3. Shareware - programs available for free online for a limited amount of time.
7. Making services on the computer unavailable to the user e.g printing, keyboard, network.
3. Always maintain an up-to-date backup of your data and programs to prevent loss.
5. Scan files and programs after downloading them from the internet.
2. Unauthorized access
Unauthorized access refers to illegal access or alteration of data or programs.
1. Restricting access to computer room – only allow authorized personnel e.g. through:
locked doors, speech recognition access, badge readers, security guards.
2. Secure the computer room – e.g. by fitting a security alarm at the door, metallic doors,
metallic window grills.
3. Encryption of data transmitted through a network – encryption involves converting
data/information (plaintext) into a code (ciphertext) that hides the true meaning of the
original data. Hence only authorized people can decode that data to the original form.
4. Using passwords – a password is a phrase used to restrict access to a file or computer
system. A strong password should contain at least 8 characters with a combination of
upper and lower case letters, numbers, symbols and special characters.
5. Network security – involves restricting the sharing and access to information on a
network through levels of access (hierarchy).
Control measures
1. Use or restore tools – a feature that allows the user to restore data that was unsaved
2. Backups – stores a copy of the data in case the original is lost
3. Used data recovery tools – are special programs that can restore deleted data from a
formatted storage device.
4. Using the recycle bin – a storage location where deleted files are stored in case one
wants to restore the data.
4. Theft
Involves stealing computer equipment, software or data. Stealing important components of a
computer system to cause damage is called vandalism.
Control measures
Control measures
6. Power Failure
Power failure results to loss of unsaved data and crashing of the hard disk.
Control measures
Computer crimes/cyberterrorism
Are illegal operations done with or on an information system.
1. Trespass – illegal access to the computer room or data sent over a network.
2. Hacking – gaining unauthorized access to a computer system by breaking codes or
passwords.
3. Tapping – involves intercepting information or data that is on its way from a source
computer to the destination computer.
4. Cracking – process of trying all possible character combination likely to be used to access
a system until a weak point is revealed. Then the cracker gains access.
5. Piracy – illegal distribution of copyrighted material such as music, software, movies and
books. It is also called theft of intellectual property.
6. Fraud – using a computer system to fake documents, hide information or cheat
unsuspecting people with the intention of gaining money. E.g. sending emails to people
congratulating them on wining a lottery but asking a certain amount of money to receive
the prize.
7. Sabotage – deliberate destruction or obstruction of a computer system for a personal or
business advantage. Normally done by business competitors.
8. Alteration – illegal modification to data with the intention of gaining money or
misinforming users.
9. Eavesdropping – refers to listening to a communication secretly. Done by tapping the
communication channel.
5. Data and information should be collected, used and kept for specified lawful purposes.
7. The owner of the data has a right to know what data is held by the person or
organization having it.
8. Do not collect irrelevant and overly too much information for a purpose.
Countries are encouraged to develop a data and information handling legal framework that will
protect people's data and information.
Review Questions