Syllabus Focus: Unit 1 Module 2 Content 15

Specific Objective 15: explain the meaning of terms related to the security of Information
Technology Systems;
Content: For example, data security, passwords, authentication, encryption, data
corruption.

TOPIC: Computer Security

Computer Security

Computer security involves the prevention of unauthorized modification, disclosure or

destruction of data and the maintenance of uninterrupted computing services.

General Risks

Risks to computers come from a variety of sources, including:

 Human error  Natural Disasters
 Technical Error  Unauthorized access and use
 Virus  Theft and vandalism

Categories of Computer Risks

Human Error – The mistakes staff and other people make are a treat. E.g. inputting a
transaction to the wrong account, key an incorrect value, forgetting to check if a back up
has completely properly. Incorrect data prevents the system from operating, as it should.

Technical Error – Hardware, software, and storage media faults. Hardware failure has
the potential to prevent the system from operating. A software fault (bug) may slow down
the system. A major software fault must be corrected. A faulty disk is likely to prevent
the system retrieving data held on it.

Virus – A virus is a small piece of software that performs unauthorized actions and
which replicates itself. They may damage files or attempt to destroy files and damage
hard disks.

Natural Disasters – In some areas flooding is a natural risk, e.g. towns near rivers or
coasts. Wind and rain can cause substantial damage to buildings. Flooding and lightning,
pose a treat to power supplies. Power surges may occur when services are restored which
may affect computer operations. Earthquakes may damage buildings that house
computers.

CAPE NOTES Unit 1 Module2 Content 15 1

Unauthorized Access and Use – Hackers attempt to gain unauthorized access to
computer systems. They may attempt to damage the system or steal information. Hackers
use tools like electronic number generators and software, which enables rapid password
attempts. Data that is transmitted across telecommunications links is exposed to the risk
of being intercepted or examined during transmission. This is called eavesdropping.

Theft and Vandalism – Computer theft may be carried out by staff or intruders. Other
theft risks includes: chip theft, theft of storage media e.g. CD-Rs, theft or unauthorized
copying of company software, theft of commercially valuable data (either by hackers or
unauthorized users).

Risk Management

Risk management involves putting in place measures and controls to ensure computer
security is maintained. Organizations should take steps to minimize or control the
possible impact of risks to computer systems.

Types of Risk Management or Controls

Access codes and passwords (Logical Access Controls) – Prevents actual entry to
computer system software and data. Examples include:

 Passwords required to log on or gain access to certain files or functions.

Users should be required to log of before they leave their PC. PCs should have
protected screensavers that automatically activate on idle machines.

Audit Trails – A record showing who has accessed a computer system and what
operations he/she has performed during a given period of time. Audit trails are useful
both for maintaing security and for recovering lost transactions. Most accounting systems
and database management systems include audit trail component. In addition, there are
separate audit trail software products that enable network administrators to monitor use of
network resources.

Log Systems – A file that lists actions that have occurred. For example, web servers
maintain log files listing every request made to the server. With log file analysis tools,
it’s possible to get a good idea of where visitors are coming from, how often they return,
and how they navigate through a site.

In addition, a log of all equipment should be maintained. Staff allocated portable

equipment such as laptops should sign acknowledging responsibility for the equipment.
The log and booking procedures aim to reduce the likelihood of theft by people who
have official access to equipment.

CAPE NOTES Unit 1 Module2 Content 15 2

Anti- virus software – This protects data against viruses. Anti-virus software such as
McAfee or Norton’s searches the system for viruses and removes them. Updated anti-
virus software should be on the system.

Encryption – This involves scrambling the data at one end of the line, transmitting the
scrambled data, and unscrambling it at the receiver’s end of the line. Thus, the person
intercepting the scrambled message is less likely to make sense of it. Data that is sent
across telecommunication lines is exposed to the risk of being intercepted or read during
transmission. Encryption is used to reduce this risk.

Physical security measures – Unauthorized access to equipment or systems can by

controlled by restricting physical access to buildings. Physical access controls are used to
minimize the risks of theft and malicious damage to computer systems. Physical access
controls include:
 Personnel (security guards).
 Personal identification numbers (PINs) can be required to be keyed in to gain
entry to the building and/or areas. PINs can be used in conjunction with a
magnetic stripe card or a smart card.
 Door locks (key operated or combination).
 Magnetic strip cards or smart cards.
 Closed circuit television (CCTV) allows movement to be monitored.
 Burglar alarms may deter intruders outside of office hours.
 Biometrics – systems used to identify individuals through the use of
fingerprints or retina scans. However, these are too expensive for most
organizations.

Backup and recovery procedures – A copy of a file or files held on an alternative

storage medium (e.g. a disk or tape). Back ups are held as a precaution in case the file(s)
in use become damaged or unable to be used. Making a back up of files enable recovery
in the case of future failure or corruption.

Loss of, or damage to, data or program file can severely disrupt computerized systems.
Files can be physically deleted, and it is also possible for a file to become corrupted
(changed in unintended way). A file may also be physically damaged and become
unreadable. It is important, therefore that a usable copy of a file can be restored from
back up.

Most operating systems include back up utility for creating back ups. There is also
specialized back up software available to allow easy establishment and performance of
back up routines.

With networks and larger systems back-up utility can be set to back up everything or
certain selected files, automatically, at a regular time each day e.g. midnight.

At least some back up copies should be stored off site. In the case of a fire or a burglary
at business premises the back up copies will not be damaged. Some organizations keep

CAPE NOTES Unit 1 Module2 Content 15 3

 one set of back up on-site (for speed of access) and a second set at a separate location.
Back up data can also be stored in fireproof cabinets.

Some organizations Archive data. This is the process of moving (by copying) data from
the hard disk, to tape or other portable media for long term storage.

Making duplicate copies of files (back up) reduces the risk of loss of data from natural
disasters, theft of data, corrupted data, human error, deletion of files.

Risks Risk Management Techniques

Human Error  Input Controls
 Backup
Technical Error (Hardware, software and  Ensuring the system installed is capable of
storage media faults) performing the tasks required. Testing the
system.
 Securely store and handle storage media such as
floppy disk, Zip disks and CDs with care.
 Protect CDs form dust, scratches and
fingerprints.
 Floppy disks labels should be written on before
being stuck on to the disk.
 Floppy disks are “magnetic” disks. They should
not be exposed to magnets.
 Protect tapes form magnets, heat and liquid.
 Backup

Virus  Current antiviral software.

 Establish controls over the use of diskettes.
 Download software and files from only trusted
sources.
 Scan files before downloading.
 Back up
Natural Disasters  Choosing suitable location of the company
buildings away from flood prone areas.
 Generator
 Uninterrupted Power Supply (UPS)
 Back up
Unauthorized Access and Use  Access codes and passwords
 Encryption
 Physical security measures
 Audit Trails
 Log systems
Theft and Vandalism  Physical security measures e.g. security guards,

CAPE NOTES Unit 1 Module2 Content 15 4


Fire, Terrorism and other major incidents
PINs, door locks, smart cards, CCTV, burglar
alarms, biometrics.
 Fire safety plan – plan to prevent fire, detect fire
and put out the fire.
 Site preparation (appropriate building materials,
fire doors)
 Detection e.g. smoke detectors.
 Extinguishing e.g. sprinklers.
 Training for staff in observing fire safety
procedures.

Reference: Information for Management Control - CAT

Exercise

1. Identify three computer risks, apart from the risks identified on this lecture sheet.

2. Analyze the following situation and propose appropriate risk management solutions
where needed.

(i). Your department is located in an open-plan office. The office contains five
networked desktop PCs and two laser printers.

You have just read an article suggesting the best form of security is to lock hardware
away in fireproof cabinets, but you feel this is impractical. Make three (3)
suggestions of alternative security measures that you may adopt to protect the
hardware and data held on the system.

3. Create a private file. Create a password to open and another password to modify the
document.

Assignment

1. Your company is reviewing all areas of computer operations and the associated risks.
You realize that no one has considered the risks of fire or flooding. Make
recommendations of the risk management techniques you consider relevant to these
areas.

CAPE NOTES Unit 1 Module2 Content 15 5