Information is a vital resource and most organizations are investing heavily in its management. It is therefore critical to protect data and information from accidental or deliberate unauthorized modification or destruction. The information system itself must
be protected from unauthorized interference so that it continues to meet its objective of continuing to provide information to various users.
(i.) Make two recommendations on physical security measures your organization‘s information system
(ii.) Explain how ―Backup‖ and ―Uninterruptible Power Supply‖ are security measures.
(iii.) Discuss two security features that most operating systems have.
(iv.) Name two disasters that information systems should be guarded against.
(v.) Why do you think an information security policy is necessary for your organization?
b) Computer viruses pose a danger to the integrity of micro-computer systems. Fortunately a variety of anti-virus tools are available to detect, identify and remove viruses using a wide range of techniques.
(i.) What is a computer virus?
(ii.) Name two anti-virus tools.
(iii.) Suggest two administrative measures that your organization should take to check the threats of computer viruses.
(iv.) Name two environmental factors that should be controlled so that they do not affect the operation of the computer.
a) (i) Recommendations on physical measures:
1. Use of receptionists and guards to control access to computer rooms.
2. Use of mechanical locks and keys to control access to computer rooms.
3. Use of electronic systems such as electronic door locks to control access.
4. Computer buildings should be designed unobtrusively as possible- notices which identify the function of the building should be avoided.
5. Cameras could be used to detect break-ins into the organization.
6. Computer terminal locks could be used to prevent the organization‘s computers from being turned on or the keyboards from being used.
7. Alarms could be used to detect break-ins.
8. Report/documents distribution carts should be covered and locked and they should not be left unattended.
(ii) “Back up” refers to the process of maintaining a duplicate copy of the data of an information system at the same site or at a remote site as a contingency measure in case the original copy of the data is lost or destroyed.
―Back up‖ thus secures and information system‘s data from loss or destruction providing an additional copy of the data.
“Uninterruptible Power Supply” (UPS)
This prevents the loss of unsaved data during power blackouts providing an alternative supply of power. Users working on the computer can thus working on the computer
UPSs secure an information system from data loss due to power failure. Before a power blackout, data that is being worked on is normally held in the primary memory (RAM). RAM is usually volatile meaning that the presence of data depends on the availability of power. UPSs restore supply of power immediately after a blackout has occurred thus ensuring that data held on RAM is not lost.
They also secure information system equipment from damage due to voltage surges.
(iii) Security features of most operating systems:
1. Logon-Ids And Passwords
This feature is provided operating systems such as Windows 2000, Windows XP, Linux and Unix. Such operating systems prompt the user to supply a logon- Id and password before he/she can be granted access to system resources.
2. Audit Trails
These enable attempts at unauthorized access to be logged.
3. Data Encryption
Most operating systems provide a facility for data encryption to protect data that is stored on a computer or data in transit. With data encryption, the data is coded using a key and it can only be decoded a user possessing the decoding key.
4. File Access Permissions
Operating systems could restrict the operations performed on a file (e.g. read, write, modify) or the type of users who can access a file (e.g. normal user, administrator or power user) based on preferences supplied the systems administrator.
5. FILE RECOVERY UTILITIES e.g. Recycle Bin in Windows range of operating systems.
These enable accidentally deleted files to be recovered since all deleted files are directed to a temporary storage location before they are permanently removed from the system.
(iv) Disasters that an information system should be guarded against:
1. Utility outages e.g. power blackouts.
2. Equipment failure.
3. Viruses i.e. programmed threats.
4. Water, leaks, toxic spills.
5. Foreign intelligence.
6. Human error.
7. Disgruntled employees.
8. Dishonest employees.
9. Greedy employees who sell information for financial gain.
10. Outsider access- hackers, crackers, criminals, terrorists, consultants, ex- consultants, ex-employees, competitors, government agencies, spies (industrial, military, etc), disgruntled customers
11. Acts of God/Natural disasters- earthquakes, floods, hurricanes.
12. Accidents, fires, explosions.
(v) Importance of an information security (IS) policy to an organization:
1. To provide guidelines to organizational staff on information security procedures.
2. The presence of of an IS policy shows that the organization is committed to ensuring integrity of the information is handles. This thus enhances a company‘s corporate image.
3. An IS policy could be used as evidence to show that an organization did its best to provide information security in cases where law suits are filed against an organization.
4. When followed, an IS policy could actually ensure that the IS is secure from most of the threats it faces.
b) (i) Computer
This is a generic term applied to a variety of malicious computer programs. These malicious programs affect other computer programs and data in a computer system.
(ii) Antivirus tools:
o Norton anti-virus software; o Mc Afee;
o AVG, etc.
(iii) Administrative measures that may be used to check the threats of computer viruses:
1. Update virus scanning definitions frequently;
2. Have vendors run demonstrations on their machines, not yours;
3. Shareware should not be used without first scanning the shareware for a virus;
4. Review of anti-virus policies and procedures at least once a year;
5. Field technicians should scan their disks on a test machine before they use any of their disks on the system;
6. The network administrators should use workstation and server anti-virus software;
7. A virus eradication procedure should be prepared and a contact person identified;
8. Users should be educated about virus policies and procedures;
9. Commercial software should be scanned before it is installed to detect Trojan horses (viruses or worms);
10. Systems should be built from original, clean master copies. Booting should be from original diskettes whose write protection has always been in place;
11. All diskettes with .EXE or .COM extensions should be write protected;
12. All servers should be equipped with an activated current release of the virus detection software.
(iv) Environmental factors that should be controlled so that they don‘t affect the operation of the computer:
1. Ventilation- it should be adequate to prevent hardware equipment from overheating.
2. Dust- should be minimized. Dust could damage a hard disk resulting in a disk crash if it‘s allowed to accumulate inside the computer system unit.
3. Moisture- should be minimized to avoid damage of equipment through short circuits.