Threats to the data and potential security issues
Egos are a medium sized company with 50 users available to internet access. I have been asked to evaluate the network for security risks and then identify them.
First of all, I noticed that there is no log in service for these 50 users and this is a potential risk. This means that everyone’s work is not secure as everyone else has access to it. If someone’s work goes missing, there is no way to retrieve it and it could be very important.
The internet has unrestricted access and this is a big problem. This means that the staff can go on anything they want therefore increasing the risk of picking up some sort of virus.
The staff is allowed to remove and install software when and wherever they want. This is possibly one of the biggest security risks as when downloading any software, there comes a risk of it carrying a virus. There should be something set up that deals with this. When giving the staff the ability to also remove software, this increases the chances of deleting very expensive software that could have been bought that is essential for the business. This ability should be taken away from the staff by the IT Services.
Another problem I have come across is that the data is only backed up once a month. This is a serious problem as the system could fail at any given time. What should happen is for the data to be backed up several times a day as a lot of work could be done in that space of time.
In this business, the backed up data tapes are secured in a plastic box on top of the server. This is very bad as the servers can get extremely warm and therefore the plastic box could melt and all the backed up data would be lost. What is essential is that the tapes should be secured in a metal box so it isn’t as accessed easily and it should be in a different remote area. This is because there could be a natural disaster in the work place and the tapes would then be at risk. With this, you are able to start back up your business as you have all the backed up data.
All staff are allowed access to the customer’s database and this is a problem. This is a problem as they are able to see all of there personal details like address, telephone number, bank details and many more. This can then lead to identity fraud as other people’s details are available. Level of access is important in this situation as only a certain member of staff should be allowed access to such details.
As the manager has heard staff discussing account details, this could mean that they are exchanging details and using them when they should not be. This is a serious risk as this is illegal and they could get in serious trouble. If the customer’s details were to fall into the wrong hands, serious damage could be done. The manager needs to act on the situation and sort it out.
As email is available to all, this increases the changes of viruses and Trojan horses. This is because every member of staff would be using it and it only takes one bad email to then result in a virus, therefore disrupting the system. The IP address log is not kept when visiting and this is a problem because if anything were to go wrong with this site, they are not able to trace this site and report.
As there is no firewall in place, there is a serious risk of getting hacked and loosing information such as important emails and very important files. A firewall prevents this and also protects against things like password guessing and shutting down of the system. Without the firewall all the work they have could be lost and could fall into the wrong hands.
Another potential security risk is that when the staff is accessing the internet, there are no internet restrictions. This is a problem because not all internet sites are totally secure. Also when working not all sites are relevant to work so some should be restricted. There needs to be restrictions as from many unsecure sites you can pick up viruses.
Any downloads that occur are not monitored and this is a serious problem. It’s a serious problem as it is very easy to pick up a virus that again can disrupt the system and therefore is a security risk. The manager should set up a process which monitors the situation and takes action if something that is about to be downloaded isn’t relevant.
All of them are serious security risks but perhaps not as big as this. Its all well having firewalls etc. But people often forget to check up on simple things like someone physically stealing information. For example, if there is no security lock or card swipe on the door, a random person could walk in and just lift a computer and walk out, simple as. What should be set up is a keypad protection so only people that know the password can get in. This prevents against unauthorised access therefore improving the safety of theft.
With all of these security risks, they are also breaking the law. They are breaking two laws which include the Computer Misuse Act and the Data Protection Act. Below i have listed what each law is about and how Egos are breaking the laws.
Computer Misuse Act
The Computer Misuse Act 1990 was designed to protect the integrity of computer systems by deterring the activities of hackers.
- Unauthorised access to computer programs or data
- Unauthorised access with a further criminal intent (known as the ‘ulterior intent’ offence)
In the late 1980’s there was concern about hacking and the damage which could be done to systems – especially those that were safety-critical –this concern was increased by the appearance of the first computer viruses. There were a number of attempts to prosecute hackers under the then-existing legislation, but the success rate was not very high.
Data Protection Act
- Personal data must be obtained and processed fairly and lawfully.
- Personal data must be held only for the purposes which the data user has declared.
- Personal data must not be used for purposes other than those which have been declared.
4. The personal data kept for the declared purpose must be relevant, adequate, and not excessive in relation to that purpose.
5. Personal data should be accurate and kept up to date (where appropriate).
6. Personal data must not be kept longer than is necessary for the purpose for which it is held.
- An individual is entitled to find out whether and what data is held on him or her and, where appropriate, to have such data corrected or erased.
- Appropriate measures must be taken to prevent unauthorised access, or modification of personal data.
The act identifies three kinds of individuals on whom personal data is held
- Data Subjects who are individuals on whom personal data is held
- Data Users who are organisations or individuals who hold (that is control and make use of) personal data
- Computer Bureau which are organisations or individuals who process or maintain data on behalf of others without having control over its content.
No comments:
Post a Comment