Data security is concerned with stopping unauthorised access to computer systems and the data they hold. Common threats include hacking, social engineering and accidental distribution of sensitive data. There are many examples of businesses of and organisations that have been badly affected by breaches of data security. In government and medical systems, this can often result in serious harm to individuals.
Data Security s Computer Security
Security can be split into two components, both of which are equally important – data security and computer/system security.
Data is often sent across the internet and other networks on unsecured or easy to hack media. Data must therefore be secured itself. This often is achieved through authentication, encryption of data, end-to-end encryption of network connections, and the use of public and private keys.
- Password protecting the BIOS screens for school computers
- Disabling USB access
- Requiring user authentication using usernames and passwords
- Requiring key-card or fob access to enter the school grounds
Data privacy is the process of ensuring that those with authenticated access to systems and data only view data they should be allowed to view. The process of deciding who should have access to what information should be a management/leadership team decision and this should lead to the implementation of procedures to control the flow of information. User Access Levels(UALs) should be implemented within computer systems and networks to ensure that database management systems (DBMS) only allow users access to the information they are allowed to access.
- Nurses & doctors should only have access to medical information regarding the patients they are treating.
- Catering managers should have access to all patients’ data, but it should be limited to their dietary requirements and preferences.
- Site staff should only have access to the number of patients in each ward and the enquipment/stock requirements for each ward.
- Receptionists should only have access to limited information about a patient ~(such as name, address, ward No etc) but will need access to all patients.
Data Integrity is concerned with preventing data from being corrupted, deleted or otherwise rendered inaccessible.
Data integrity is maintained through a number of different of technologies and procedures, each of which is important and serves a different purpose.
Disk mirroring is a technique where the contents of a hard drive are mirrored on one of more hard drives, usually in RAID 1 or similar format.
This has the following advantages (depending on which form of RAID is used):
- Faster access to data as multiple hard drives can be read/written simultaneously. This is especially important in systems that experience high demand for data or surges in demand (such as festival ticketing websites when tickets for festivals are released).
- Near Immediate system recovery after a hard drive failure.
- Long life-span of individual drives as the read/write work is spread between the drives.
Onsite and offsite backups
As well as RAID drive usage, daily weekly and monthly backups should be taken and these backups should be both onsite(for fast access in case of a hard drive failure) and offsite (in case of a fire or break in).
An increasingly common form of attack is a ransomware attack where a hacker gains access to a computer system and encrypts the data contained within the system. They demand money(often difficult to trace bitcoins). In order to protect against this the system managers should ensure that computer virus protection, software and authentication systems are up to date. Also backups should be stored separately from other data.
User access Levels
Perhaps the most common reason for loss of data is accidental or malicious action by individuals in an organisation who delete or otherwise corrupt data. This threat can be mitigated through the user of User Access Levels, giving users read access to sensitive data, but not giving them delete /edit rights.
Activity – Design a data security, privacy & integrity policy for a school or society(such as your local scout association group)
- Who should have access to what data?
- What level of access should they have to that data (read / modify / delete)?
- How should data be backed up? Where? How often?
- What physical security, privacy and integrity measures will be taken?