14-08-2012, 04:58 PM
13.6 Legal Aspects
13.6LegalAspects(2).ppt (Size: 230 KB / Downloads: 31)
Objectives
Corporate IT Security Policy:
Understand the need for a corporate information system security policy and the rôle it would fill within an organisation.
Factors could include prevention of misuse, detection, investigation, procedures, staff responsibilities, disciplinary procedures.
Describe the content of a corporate information system security policy.
Describe methods of improving awareness of security policy within an organisation, cross-referencing to training and standards.
Disaster recovery management:
Describe the various potential threats to information systems, e.g. physical security; document security; personnel security; hardware security; communications security; software security.Understand the concept of risk analysis.
Understand the commercial need to ensure that an information system is protected from threat.Describe a range of contingency plans to recover from disasters and relate these to identified threats.
Describe the criteria used to select a contingency plan appropriate to the scale of an organisation and installation.
Corporate IT Security
Dependency on IT means the integrity and the safety of information kept is highly important.
Two possible threats to security are accidental and deliberate loss and damage.
Accidental: human error and natural disasters.
Deliberate: fraud, sabotage, arson and spying.
Threats to security come from within and from outside the organisation.
A Corporate IT Security Policy should be wide ranging enough to cover all eventualities.
IT Policy Statement
Covering the use of computers.
Users are to read and sign agreement to.
Organisations may run training courses for new employees who use computers.
Courses cover the main Acts regarding the use of computers in organisations.
It security implemented as a cornerstone of the organisation’s management.
Prevention of Misuse
Not allowing users access to the Operating System and settings.
Not allowing key files to be deleted.
Allowing restricted use of the Internet including Filtering and Firewalls.
Not allowing everyone access to the Internet and e-mail use.
Users need a user name and a password.
Users have access only to files they normally use in the course of their work.
Detection
Audit trails to discover where misuse has taken place and to identify the employee.
Specialist software that will identify an unusual request or unusual use and will flag a message to the security manager.
Software that allows the security manager to see who is working and who is playing.
A log of access can be saved to build a record of use about employees.
Investigation
Use of software to investigate and gather evidence against a mis-user of the system.
Important to have proper evidence against someone accused to ensure fair treatment and keep good industrial relations.
In serious cases of misuse the employee could be disciplined, dismissed, or the police involved in very serious cases.