Security, Privacy & Integrity of Data

Security

Data Security

Data security is concerned with stopping unauthorised access to computer systems and the data they hold. Common threats include hacking, social engineering and accidental distribution of sensitive data. There are many examples of businesses of and organisations that have been badly affected by breaches of data security. In government and medical systems, this can often result in serious harm to individuals.

Data Security s Computer Security

Security can be split into two components, both of which are equally important – data security and computer/system security.

Data is often sent across the internet and other networks on unsecured or easy to hack media. Data must therefore be secured itself. This often is achieved through authentication, encryption of data, end-to-end encryption of network connections, and the use of public and private keys.

 

Privacy

Data Privacy

Data privacy is the process of ensuring that those with authenticated access to systems and data only view data they should be allowed to view. The process of deciding who should have access to what information should be a management/leadership team decision and this should lead to the implementation of procedures to control the flow of information. User Access Levels(UALs) should be implemented within computer systems and networks to ensure that database management systems (DBMS) only allow users access to the information they are allowed to access.

 

Example:  Hospital

  • Nurses & doctors should only have access to medical information regarding the patients they are treating.
  • Catering managers should have access to all patients’ data, but it should be limited to their dietary requirements and preferences.
  • Site staff should only have access to the number of patients in each ward and the enquipment/stock requirements for each ward.
  • Receptionists should only have access to limited information about a patient ~(such as name, address, ward No etc) but will need access to all patients.

 

 

Integrity

Data Integrity

Data Integrity is concerned with preventing data from being corrupted, deleted or otherwise rendered inaccessible.

Data integrity is maintained through a number of different of technologies and procedures, each of which is important and serves a different purpose.

Disk Mirroring

Disk mirroring is a technique where the contents of a hard drive are mirrored on one of more hard drives, usually in RAID format.

This has the following advantages (depending on which form of RAID is used):

  • Faster access to data as multiple hard drives can be read/written simultaneously. This is especially important in  systems that experience high demand for data or surges in demand (such as festival ticketing websites when tickets for festivals are released).
  • Near Immediate system recovery after a hard drive failure.
  • Long life-span of individual drives as the read/write work is spread between the drives.

 

Onsite and offsite backups

As well as RAID drive usage, daily weekly and monthly backups should be taken and these backups should be both onsite(for fast access in case of a hard drive failure) and offsite (in case of a fire or break in).

 

System Security

An increasingly common form of attack is a ransomware attack where a hacker gains access to a computer system and encrypts the data contained within the system. They demand money(often difficult to trace bitcoins). In order to protect against this the system managers should ensure that computer virus protection, software and authentication systems are up to date. Also backups should be stored separately from other data.

 

User access Levels

Perhaps the most common reason for loss of data is accidental or malicious action by individuals in an organisation who delete or otherwise corrupt data. This threat can be mitigated through the user of User Access Levels, giving users read access to sensitive data, but not giving them delete /edit rights.

 

 

 

Resources

Multiple Choice Quiz Here

Activity – Design a data privacy policy for a school or society(such as your local scout association group)

  • Who should have access to what data?
  • What level of access should they have to that data (read / modify / delete)?