File security

It is imperative to recognize that automated systems, which provide essential services, are
vulnerable to natural disasters or to someone who has the resources to compromise a computer
system. Appropriate security measures should be taken to ensure protection from accidental and
deliberate threats to confidentiality and integrity of data. Whilst it is accepted that absolute security is
unrealistic, steps should be taken to optimise your computer system at a cost that is relative to the
reduction in the risk.

The security of files on computers is paramount and the use of password access is strongly
recommended for users.

For employees who vacant their position either on transfer to another area or to another employer,
risk management procedures should be implemented to ensure their access to the nominated
computer system is revoked. Too often, users retain access to computer systems and files for
lengthy periods of time after they have left their previous position. This creates an opportunity for
criminal offences to be committed and possible corruption and loss of data.

Whilst there are avenues available to retrieve data that is lost, it can be an expensive cost to incur
for something that is easily preventable.

The deleting of files from computer systems may constitute the criminal offence of fraud in
Queensland, if it is shown that there has been a dishonest action to cause some detriment to the
complainant in question.

Likewise, the theft of files may also constitute the criminal offence of stealing in Queensland, if it is
shown that there is some intent on behalf of the offender to use the files for some purpose.

Matters such as disputes over the ownership of files, may give rise to copyright breaches and
remedies in these matters should be sought via civil action if deemed necessary, rather than criminal
complaints to police.

Steps to establish and maintain an adequate computer security program:

 Identify the computer system assets that require protection (i.e. data, software, hardware,
media, services and supplies)
 Determine the value of each asset
 Identify potential threats associated with each asset
 Identify the vulnerability of the computer/EDP system to each of these threats
 Assess the risk exposure for each asset
 Select and implement security measures
 Audit and refine the security program on a regular basis especially when employees depart
on a permanent basis

Common methods to commit computer related crime.

Data Diddling
A simple and common computer related crime that involves changing data prior to or during input to
a computer. Data can be changed by anyone involved in the process of creating, recording,
encoding, examining, checking, converting, or transporting computer data.
  Minimize the risk of diddling by applying internal security controls

Trojan Horse
A Trojan Horse involves the placement of unwanted computer instructions in a program so that the
host computer will perform some undesired/unauthorized function. The instructions enter the target
system hidden in some other message or program, thus the name Trojan Horse.

 Minimize the risk of attack by a Trojan Horse by implementing security control measures for
all incoming data containing hidden content.

Logic Bomb
A Logic Bomb is a computer program executed at a specific time to cause damage to computer
programs or data. Logic Bombs often enter a computer system using the Trojan Horse method, but
differ because their presence is detected only after the bomb "blows up." 
For example, a disgruntled employee may write a computer program to cause the company's
computer system to crash at a particular date. At the specified date and time, the system crashes
costing hundreds of hours and thousands of dollars to restore.

 Minimize the risk by using security methods that verify the system for inappropriate content.

Impersonation 
When a password and user identifier controls access to a computer system, the most common
method to gain access to the system is to impersonate an authorised user. 
Impersonation in the workplace may be accomplished as easily as taking an authorised user's place
at an unattended terminal that has not been logged off. However, impersonation usually requires
that the intruder have access to two or three pieces of information:

 User I.D. or account number;

 Password of the authorised user,
 A dial port number (computer's telephone number), if access is attempted from a remote
location.
 Minimize the risk of unauthorised access by implementing security measures and password
maintenance. Passwords should be of adequate length to maximize security and
maintenance systems should force a change of passwords at regular intervals. In addition,
the system should be programmed to generate a minor alarm after an unusual number of
invalid sign-on attempts.

Computer Virus
When a password and user identifier controls access to a computer system, the most common
method to gain access to the system is to impersonate an authorised user. 
Impersonation in the workplace may be accomplished as easily as taking an authorised user's place
at an unattended terminal that has not been logged off. However, impersonation usually requires
that the intruder have access to two or three pieces of information:

 Minimize the risk of infection by incorporating virus scanning into the start-up of the computer
system and scan any new software and files prior to use