API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Apr 22nd, 2017
118
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 66.39 KB | None | 0 0
raw download clone embed print report
  1. Organisational System Security – Assignment 2
  2.  
  3. Introduction
  4. This document will contain information regarding different policies and guidelines which are used within organisations to assist with IT security issues that most are forced to face. There will then be a follow up explaining how organisations use employment contracts and how they affect security. All businesses need to consider laws regarding security and privacy of data so there will be an explanation of the laws which protect sensitive data and how creators of original work are protected and rewarded. There will then be an examination and explanation of the ethical decision making in organisational IT security within Hull College along with real life examples, covering who makes the decisions and if they are fair for the students and employees. To conclude there will be a full evaluation of the existing security policies used in Hull College, showing how efficient they are and faults which could be improved.
  5.  
  6. Policies and Guidelines for Managing Organisational IT Security (P4)
  7.  
  8. Introduction
  9. This section of the document will focus on the policies and guidelines which all organisations put in place to prevent as many disasters. These cover as many problems as they can think of, by looking at some of the common security threats all organisations have, some of the policies will cover topics such as password strength, to make sure all their user accounts and emails are protected, the limitations the students and lecturers have when it comes to using the Internet, and even on the devices brought in by the employees.
  10. Policies and Guidelines
  11. Policies and Guidelines are documents which can also be seen as rules for the employees, they must be carefully read through to ensure that all are understood and none are broken. They will inform the members of staff what they can and cannot do, for the sake of security, there are massive numbers of topics mentioned to try and prevent as many problems as possible from an early stage. Employees will need to agree with them in order to work and will do so when they sign the contract as they are accepting the job offer. There are many threats that organisations need to face and most of the policies and guidelines will educate the employees on the matter, prevent, or minimize the risk. The following information will discuss some of the threats and how some of the known policies prevent them.
  12.  
  13.  
  14.  
  15.  
  16. Data Leaks / Breaches
  17. All organisations will at one point have sensitive material stored on their systems, this could be something such as financial information of a customer or student in the context of Hull College. A huge risk that comes from this is that if there is ever a data leak or breach their information could end up in the wrong hands. This could occur from a disgruntled employee looking to get back at the organisation and takes advantage of their level of access to publish the data, or there could be a breach from an external attacker, brute forcing their way into the network.
  18. If certain information is leaked it can lead to the business having a law suit against them, as they did not go out of their way to protect the information and didn’t do anything to prevent it. This can of course be prevented, or at the very least have the risk minimized by having certain policies and procedures put in place to prevent this from happening, limiting what every employee has access to and having contracts in place to punish them if they are broken. Data leaks/breaches are very common in businesses so it is crucial that a heavy amount of planning goes into writing the guidelines and policies as a simple mistake could leave their systems and data vulnerable.
  19. Hull College do have several policies in place to protect from this, all of the employees are very limited to the information they can access and everything they do is monitored due to the “Acceptable Use” policy that they agree to upon signing their employment contract. Some employees have been known to access fellow employee’s computers if they leave it unlocked or have simple passwords but there is a unique “Password Policy” in place to also prevent this, it educates the users a little on their security, especially their password choice and tells them to ensure that whenever they leave their systems unattended they are either locked or signed out.
  20. Lack of User Knowledge
  21. One of the largest security threats know to organisations is employees lacking knowledge when it comes to IT security. Sometimes employees are careless with their files and passwords, sharing their information with other employees. Employees have been known to write down their passwords and leave them on their desks to remember them, but this leaves their accounts at risk as anyone could approach the system and sign in to gain access to all the information they have saved on their user account or even use their level of access to look at files they wouldn’t ordinarily be able to see.
  22. If Hull College was being targeted and had phishing emails sent to several employees, anyone with no knowledge on the subject could easily give up all their financial information and lose everything, so it is very important that there are policies and guidelines in place to explain these risks and educate the employees of the risks and do the best to minimize them. In this case, having the employees use easy to remember but strong passwords to access their systems can protect a lot of confidential data and educating them about phishing emails will alert them to pay no attention to them once they are received.
  23. As previously mentioned the employees can be careless with their files, this can be the data stored on their system or even physical copies. It is essential that they are informed to not take any data off-site, that makes it very easy for someone to steal it from the employee. There needs to be strict rules on what information can be taken off-site if any at all, Hull College do have a policy regarding this, no sensitive information regarding students or employees is not allowed of the premises, but then if it is data that could be obtained from a member of the public and would cause no harm to have someone else look at is fine, but should still be taken care of. The policies informing employees with little knowledge on IT security are very helpful and massively decrease the risk of information or even malware being downloaded onto the systems.
  24. Internet Use and Software Installation
  25. The Internet is a very useful thing, anyone person can find any piece of information or software installation downloads if they are made public by someone. Although this is very efficient and useful for businesses there is also risk. It’s great to have software installed on the college network to allow computing students to practice coding, or to have artistic students develop their skills on graphics design but there is also a risk, not all websites or software on the Internet is trustworthy, that’s not to say that every website is bad but there are a ton that are out to cause damage.
  26. If a malicious piece of software is downloaded it can easily work its way around the network damaging, removing, or stealing data, it can also contain key loggers which risk user account credentials. If there are no off-site backups then that will be a ton of data loss which is always tragic in a business, at Hull College that would just cause a lot more work to have the data recreated. If the software steals the information and makes it public that can cause another problem, especially if it contains sensitive material, as previously stated, having confidential information made public, especially if it regards students, then it can lead to a law suit. There are programs which remove this type of software, but there are policies which could put things in place to remove that risk, limiting what the Internet can be used for.
  27. Limiting Internet use can be a positive and a negative, it can be helpful in prevent malicious software being downloaded onto the systems but then it will limit lecturers from installing software to use in the lessons, unless they contact the IT services before-hand, which just adds more work. This doesn’t just limit software downloads, but some time-wasting websites. It is very easy for students and employees to get distracted with shopping websites, social media, and video sharing sites such as YouTube. This is why Hull College does have policies in place limiting the websites students/lecturers can access, only IT services can install software once they have had a request and know it is safe to download.
  28. Data Loss / Theft
  29. This issue can relate to the data leak/breach in some ways but also comes with its own risks. Data loss is a huge problem, it could occur with a system failure or accidentally by an employee. Then there is the theft, which could either be done by an employee with malicious intent or from an outside attacker. If there are no policies informing the members of staff how to handle information and to keep it secure from attackers then it can be left vulnerable, especially if there are no backups.
  30.  
  31. It is crucial that organisations take regular backups of their systems so if anything gets corrupt or deleted it can be recovered. Sometimes annoyed employees have been known to delete all the data on systems before they quit and if there are no backups then they would be left with absolutely nothing, which could either shutdown or cost a company tons of money. On the current Hull College system, there are backups every night, this occurs when there are no employees on their systems so there is no downtime. This is sent to an off-site facility so if anything happens on the college network they will still be able to recover. Inactive data is also kept for 180 days, so the employees can be sure they won’t use the information again before it is removed.
  32. Man in the Middle
  33. Another security risk that organisations face is a man in the middle attack. Hull College has connections to other networks in different cities. If the connections aren’t secured then a third party could intercept the connection in the middle, and read the data as it is being transmitted from one place to another. Neither network would be alerted of the issue as no data is being changed through the transmitted. Here is a very basic illustration to show how the data is intercepted.
  34.  
  35.  
  36.  
  37.  
  38. The third party will be able to see any document, image, or video that is sent through this connection, this opens the risk to them viewing sensitive material. If there is sensitive information regarding a student being passed to another college network and is read by someone with malicious intent then they could cause serious damage, if there is any financial information they could very easily commit fraud and as previously stated, leaving the college with a law suit to face.
  39. It is essential that the college secure the connections with virtual private networks and the employees follow guidelines and send the information through a secured connection, instead of through something such as their mobile. If someone has installed malicious software onto an employee’s phone and thy use mobile data to send emails with confidential material that can easily be viewed and used by the attacker. The systems exchanging information needs to be directs connected to the college network and secured.
  40.  
  41.  
  42.  
  43.  
  44.  
  45.  
  46. Employment Contracts (P5)
  47.  
  48. Introduction
  49. This section of the document will discuss the use of employment contracts, every employee must accept certain terms when coming to work for an organisation such as Hull College and will be expected to keep all data they see confidential, but depending on the job role will decide on what data they will be able to view and how much of a risk it may be. If there is a higher level of access, then there will be very strict guidelines to follow in keeping the data secure.
  50. Hiring Contract
  51. In an organisation when someone applies for a job there are several things that must happen before it can even be considered, the organisation needs to go through several policies and procedures to ensure that they are properly qualified and don’t have a criminal record. Many organisations take on ex-convicts but some such as schools and colleges do not hire people such as paedophiles who have been realised as it leaves the children in harm’s way.
  52. A background check is done on any individual to ensure they won’t do damage to the organisation, if they were known to damage or steal files are previous workplace they cannot be hired as it leaves the organisation they are applying for at risk of the same thing happening to them. As previously stated a check to see if they have a criminal record will also be done, if they commit small acts of crime such as not paying bills then there shouldn’t be a problem but if they have been arrested several times for assault of theft the organisation is left at risk of having sensitive material stolen as well as the safety for the employees.
  53. The individual applying for the job is required to sign several contracts before accepting the job role to ensure they are fully away of the security policies and procedures to ensure they do not make any mistake which could lead to harm being done to the organisation and all of the disciplinary measures are made clear so they are aware that there are consequences for not following the rules they agreed to follow upon applying for the job role.. This is all done to minimise the risks of an organisations security being breached.
  54. Separation of Duties
  55. When someone is looking to become employed by Hull College and have been interviewed before working they are required to read and sign a contract. The job that they have applied for will decide on what type of information the contract will contain, although every employee will be required to abide by the policies and guidelines they have to keep the place secure. If an employee is applying for a higher-level job such as financing, then they will be given a higher level of access as they will need to look at the financial information of the employees and students on a daily basis and will need to keep them all confidential.
  56. The separation of duties is when an employee is limited to the information required for their job role. This is done to reduce fraud or any other damage which the employees could potentially do if they were to have access to information they wouldn’t need. I will now explain each of the departments and discuss the information they are able to access and why it is important it is separated from other departments. The requests submitted by students and employees are also divided up and sent to the appropriate departments.
  57. Disciplinary
  58. Sometimes employees have been found to break rules or not abide with the policies which they agreed to upon taking the job role, in return they need to be disciplined to ensure they follow the rules in future. At the bottom of every policy Hull College has there is section which informs the readers of the problems that are caused when they are breached, some being worse than others and depending on what problems they cause will decide on the level or discipline. If the incident is accidental there will be almost no punishment, just a warning to be careful but if it is intentional then the suspects will be temporary suspended until a full investigation can take place and if they are found to be guilty could end up being fired. The actions the college takes are lawful and very reasonable.
  59. The disciplinary measures Hull College have in place help the security as employees and students at less likely to do anything against the rules knowing what punishments will take place if they are discovered. This means that the slight fear or being in trouble of fired lowers the chance of incident and helps keep the college secure, along with all of its material (hardware and software).
  60. Employee Training
  61. Once an individual has been accepted after a successful interview they need to be trained so they know exactly how to use equipment and what they shouldn’t do. This is a crucial part in hiring an employee as if they are not correctly informed of how things work they could lead to equipment being broken or even sensitive information being accessed and carelessly thrown around without a thought. To limit the risk of any negative occurrence happening it is very important that they are properly trained and have carefully read through each of the policies so they know what they are limited to do and what kind of monitoring is happening to ensure there are no problems.
  62.  
  63. Laws Related to Security and Privacy of Data (P6)
  64.  
  65. Introduction
  66. This section of the report will focus on the laws related to security and privacy and data, this refers to the Data Protection Act, Computer Misuse Act, Freedom of Information Act, and the Copyright Designs and Patent Act. There will be an explanation to every principle and aspect of the different laws that are in place, what each of them do and why they are all significant to protecting data and the creators of original work.
  67. Data Protection Act
  68. The Data Protection Act was released in 1998 to ensure that all personal information is processed or managed fairly and correctly by businesses, large organisations, and even the government. There are eight principles following this act to guide these companies through the handling and processing of information. Hull College for example has a lot of personal data on the students, so the managing of it needs to be strictly taken care of. Their systems contain bank information of the students and if this is not handled correctly could lead to the wrong hands gaining access which could then lead to fraud.
  69. The first principle is that all personal data should be processed fairly and lawfully and must only be taken if certain criteria are met. The data must only be taken if consent is given, a student at Hull College for example would need to give consent to provide the personal information they take by agreeing to terms of their enrolment. This may also be done if the data is in connection with employment, certain information must be provided in order to begin working at a business and if they do not give permission by signing a contract, if they don’t want to give up the information they have that right but most likely won’t be employed.
  70. The second principle is that personal data should be obtained for one or more specified lawful purposes, and may only be processed for that purpose and no other. If the bank details are taken from a student the data should only be used to handle bursary for example, that information shouldn’t be used for any other reason. This principle also refers to the methods in which the data is obtained, that also must be fair, lawful and a reasonable reason for needing the information.
  71. The third principle of this act is that all personal data should be relevant and no excessive in relation to the purposes for acquiring the information. Hull College need information such as phone numbers and email addresses of all students because they need a way to get in touch with students. If a student cannot make it to the college and have not contacted the college, an employee can then phone up or email using the information the student provided to solve the issue and mark the absence as authorized.
  72. The fourth principle of the Data Protection Act is that the information businesses, organisations, and governments keep on their systems needs to be up to date and accurate. Small errors in information can cause large problems further down the line, if a student at Hull College has not updated their emergency contact information or even their address, if the student gets into an accident and needs medical attention the college will have no way of contacting family members. On the other side of things, if a business selling food and clothing does not constantly update stock or has a slight error with it, that could lead to them losing money due to top selling items not being in stock when the customers are expecting them.
  73. The fifth principle of the Data Protection Act refers to how the data is processed and how long they are kept after they have been used. No organisation should keep personal data longer than necessary after the purpose of it has been met. Students at Hull College will have their personal information kept on the systems until a little after they leave, a student for example who left the college over ten years ago, will no longer have a record on the system but a student who hasn’t attended for two years will still have a record. This can allow students to contact the college years after leaving to see their grades, attendance or whatever they may need, after a certain amount of time that becomes unnecessary.
  74. The sixth principle of the act allows the public to access certain information according with the rights of data under the act. This means that someone could approach an employee at Hull College and ask for information, an example could be to have them provide student information to either the student or their parents, and they have a right to access it. Not all information can be requested, and the organisation has forty days to provide the information to the person requesting it. This is more enforced in the freedom of information act.
  75. The seventh principle of the Data Protection Act refers to the security of the information and how it is handled once it is no longer needed. This can be data stored on machines or physical copies. When they have completed their use, they need to be completely destroyed to ensure no unauthorized person can gain hold of them. If Hull College had physical copies of a student’s personal information, their phone number, email address, home address, and contact information that would need to be shredded and not just thrown away. Files thrown away could be picked up by anyone. If the records are on the machines and are ready to be removed, the college would need to ensure that the files are deleted, the backups are deleted, and that the recycle bin is emptied to no one can simply recover them and make copies. This principle also helps protect against accidental loss, destruction, or damage of the files. It ensures the information is handled correctly.
  76. The eighth principle of this act is that personal data should not be transferred to another country or territory which doesn’t have the same data protection rights. If Hull College for example was moving a student’s record to a new country which doesn’t have any protection rights the data is at risk of being used for the wrong things, being kept for longer than necessary, and could be damaged. There are then more problems which could be caused from this, a law suit being filed on the college for allowing personal information to get into the hands of unauthorized personnel for moving the record to a place with different data rights.
  77. The Data Protection Act differs depending on what the information is and who is requesting it, if an employee at Hull College in the financial department is requesting some personal data regarding a student which is needed for their work is completely fine, but the employees in other departments can’t request that same information as it is sensitive material and they have no need for it.
  78. This differs for students at the college as they can request personal data on themselves; some employees will also be able to request similar data but will be limited depending on their role at the college. The public with no connection to the college on the other hand will not be able to access as much information as the students or employees. They can request some information under the Freedom of Information Act but that is limited, they cannot request personal information on the students.
  79. Computer Misuse Act
  80. The Computer Misuse Act came around in 1990 and was designed to protect machines against attacks, so information isn’t damaged, stolen, or used in a way that it wasn’t meant to. The most common offences known under this act include hacking to gain unauthorized access to a machine or information which they wouldn’t otherwise be able to access. Another is purposely spreading malware on a system in order to cause as much damage to it as possible. These issues can cause many problems for businesses and lead to them losing a ton of money, and can lead to colleges losing reputation by allowing such information to be accessed without authorization.
  81. One of the offences this act recognised is the unauthorised access to computer material. As previously stated this offence would include hacking into a machine to gain access to data which they wouldn’t otherwise have access to. There are other ways for people with malicious intent to gain access to this material which is another reason why this act was introduced, so educate organisations of the risk, and assist in protecting them and the data stored on their machines. Sometimes employees at a business try to cause as much damage as they can before they quit or move away, if an employee at Hull College had malicious intent they could find ways to access machines and cause damage. Sometimes people forget to lock their machines or log out of their user accounts and that will make it very easy for people to do damage or steal student personal information. These problems encourage organisations to introduce policies to ensure people are correctly securing their systems and data. This does not mean that someone wants to do damage or commit a crime but it would still be used in a wrong way.
  82. The second offence that the Computer Misuse Act recognised is the unauthorised access with the intent to commit a crime. As I previously mentioned employees with malicious intent could quite easily access another employees account if they are careless and forget to lock their account everything they leave the machine. If a worker at Hull College in the finance department leaves their computer unlocked and another employee accesses it, they could obtain information such as student bank details, and they could easily use this to commit fraud, which is a crime. The computer misuse act educates organisations of this and encourages policies be put in place to ensure that all data is protected by the employees as well as their machines.
  83. The third offence that the Computer Misuse Act recognises is the unauthorised modification of computer material. This means that any data stored on a computer system within a business should only be modified by the employees in that department and the employee who use the specific machine daily. As previously stated an employee at Hull College could accidentally leave their machine logged in, leaving it accessible to anyone who notices it. This doesn’t mean that they have malicious intent and are going to do something negative but they could modify information to benefit themselves. This leaves fault data which is never good in a business.
  84. This also means that the hardware could be modified; an employee could easily approach a machine and switch out the hard drive if they know what they are doing. This would allow them to take whatever information was stored on that specific machine. This can be protected against by using case locks to secure the hardware.
  85. The fourth offence of the Computer Misuse Act is making, supplying, or obtaining anything which can be used in computer misuse. Hull College has a lot of personal data stored on their systems and with the separation of duties, certain people have access to certain information, providing login details to an account containing sensitive material to a fellow employee would be supplying them to commit an offence from the computer misuse act. This can be a more difficult offence to protect against but there are policies and information in contracts which instructs employees to keep all of their usernames and passwords private, to protect all the information they can access.
  86. Freedom of Information Act
  87. The Freedom of Information act came around in 2000 and provides the public access to information which is held by public authorities. This means government departments, local authorities, the NHS, schools, and police forces are required to provide information to the public if it is requested. Although they are required to provide this information it isn’t always free, if a lot of data is requested it can take quite some time filtering it, processing it, and printing it to provide, this costs time and money for organisations so a fee can be asked for. This does not mean that people can request personal information about themselves from every organisation, to do that they would need to make a request under the Data Protection Act. The Secretary of State decides on which public authorities are forced to provide information and what information some of them can keep private.
  88. All public authorities are obligated to publish information regarding their activities; public authorities spend money which was collected from the taxpayers, this allows the public to keep an eye on what the money is invested in to ensure it isn’t going to waste. This makes them accountable for their actions if they cause significantly negative affect of the public’s lives. This act allows the public to put all of their trust into the public authorities as they can access some of their information to track how productive the money is being. There are four key principles behind the act.
  89. The first principle of the act is that everybody has a right to access official information, although if there is a good reason they have the right to keep some private and reject the request to require it as long as it is permitted by the Act. An example of someone being able to request information from a public authority is a student; they could request information from Hull College regarding the average grades of Next Gen Computing students over the past four years. They have every right to ask for the information and nothing sensitive is being given so they have no choice but to provide the information. It shouldn’t be a problem but could take a small period of time to acquire and prepare it.
  90. The second principle under the Freedom of Information Act is that any person that requests information from a public figure doesn’t need to and shouldn’t be forced to justify their reasons for wanting it. If the organisation wants to refuse the information on the other hand (because the information is private and is permitted under the act) they must justify it and it must be reasonable. As I previously stated a student could request information from Hull College on the average grade count of students, they don’t need to explain why they want the information but if they requested to have financial information of students then they are justified to deny the request as they cannot give out sensitive material such as bank details of the students.
  91. The third principle under the Freedom of Information Act is that the public authorities must treat all of the requests for information equally unless the request is for personal of private data. It doesn’t matter if the person is a journalist, a local resident, a foreign researcher, a student, it shouldn’t affect the information they can get under this act. As stated in the second principle they do not need to justify their reasons for wanting the information and it doesn’t matter who they are, they have a right to access official information.
  92. The fourth principle under the Freedom of Information Act is a follow up of the third principle, the person requesting the information should not affect the information that can get under the Act. This also means that public authorities shouldn’t release information to certain people because of their relationship; this could be a friend, a family member or just an old contact, unless they were prepared to provide that information to any member of the public who also requests the information to be released to the world. If a student at Hull College knew an employee outside of college and had a long history (could be a friend of the family, or even a neighbour) they shouldn’t provide the student information because of their relationship unless they would release it to anyone who requests it.
  93. Copyright Designs and Patent Act
  94. The Copyright Designs and Patent Act came around in 1988 to protect the creators of original pieces of work, this ensures that their time, money, and effort isn’t wasted and they are given full credit of all of their work and punishes the people who steal it. Some of the creators involve artists, music creators, film writers, authors, or even companies which design applications.
  95. Many creators are known to spend years on projects, even artists can take months to even gain inspiration before creating a piece, it isn’t fair for all the time to be wasted once they have produced their own work. If an employee creates a piece of work for an organisation within their property, the rightful ownership goes to the organisation.
  96. An example of this Act protecting original work can be seen at Hull College, an employee can only photocopy five pages of a book before needing to purchase it. The printers on the property monitor what is being copied and printed to ensure that the employees are not breaking the infringement protection original work.
  97. The first purpose of the Copyright Designs and Patent Act is to ensure that all creators are rewarded for the time, effort, and money they put into creating their products. Things such as names, titles, and short phrases aren’t enough to be covered by the act but original logos, music pieces and such are. The creators of the work are able to sell the ownership to another party or request a payment every time their work is used. This tends to be the main source of money for creators; they sell on their pieces or make money be allowing the public to view them at galleries, cinemas, and TV.
  98. The second purpose of the Copyright Designs and Patent Act is that all original work is protected; no one should be able to use it to make money or claim as their own if it is copyrighted and they can be sued if they do. Many YouTube videos tend to contain copyrighted content, to punish them their videos are taken down and their channels are given a strike. If they receive three strikes their channel will be shut down, and if it’s just the one it takes down the video containing copyrighted content and stops them from making money and gives it to the rightful creator. If someone has been caught using copyrighted material only the owner or an exclusive licensee will be able to bring it to court against the infringement to sue.
  99. Although this Act protects original work, after they pass away it no longer belongs to anyone, meaning that the rights have duration. Depending on what the work was will decide on how long after the creator dies the work will become available for public use. If the work is dramatic, a musical, or artistic then the work will become available to the public after seventy years, from the end of the calendar year. If the work contains sound recordings or broadcasts, then the work becomes available after fifty years from the end of the calendar year from the creator’s death.
  100. If the work is a film then the work will also be made available to the public after seventy years from the end of the calendar year following the creator’s death. Finally, if the work is a typographical arrangement of published editions, then it will become available twenty-five years from the end of the calendar year from the first time the work was published.
  101.  
  102.  
  103. Ethical Decision Making in Organisations (M3)
  104.  
  105. Introduction
  106. In this section of the document there will be a discussion on the ethical decision making in an organisation such as Hull College. Some of the decisions made in the college could potentially conflict between privacy and laws such as freedom of information versus privacy on CCTV. There are many arguments with things such as the computer systems, some courses have more expensive equipment when it is needed in other places, and there will be a discussion on this topic as well as thoughts on the process and changes that could benefit the college.
  107. Freedom of Information Act versus Privacy
  108. Organisations tend to have CCTV cameras set up in various places around and inside their facilities to ensure no criminal activity is committed and if something does happen, all of the evidence as well as suspects can be seen through the footage. Then there is the conflict of interest as some people complain about their lack of privacy. Some people do not like to be monitored and filmed all day but it is essential that security can keep an eye of exactly what is going on throughout the day and employees or students should only be filmed if the proper permission has been given.
  109. An example of this is when a student enrols at Hull College; they are requested to sign a document which gives permission for the organisation to take videos or photographs of them. If a crime has been caught on camera some people can use the freedom of information act as a way of gaining access to the footage which may contain videos of people that do not wish to be seen, each individual should be firstly asked if they are fine with being seen in the video otherwise they should be blurred out as they should not be subject to videoing if it makes them uncomfortable.
  110. Print Credit
  111. In organisations such as Hull College the students are required to use their own money to pay for print credit in order to use their printers. It is 4p per page but when there are large pieces of work to be done it soon adds up. As of this point there is no alternate way of submitting assignment work in to the lecturers, if it is emailed in the students are required to print out a hard copy so if they do not have a printer at home they need to spend money to use the printer, and some of the work is very long. This can be seen by many people as ethically wrong, although it does cost the organisation to buy the printers and to constantly stock up on paper due to the large amount of it that is used giving students no alternate way to submit their work can be seen as very unfair.
  112. Computer Systems
  113. In organisations, there tend to be more advanced machines for some departments but the important decision is who get them. In Hull College, the creative media students have much more expensive systems which are up to date whereas the computing students are left with old and slow systems with years old software, by the time they get into work in the sector they end up being years out of date with software and will have no idea how to use it.
  114. The IT department are the people who decide on who gets the systems but they do not take views from the students or if they are given them, don’t take them into consideration.
  115. Bad Decision Making
  116. Bad decision making in an organisation can lead to various problems, some even leading to wasting thousands of pounds. An example of bad decision making can be found at Hull College, recently someone made the decision to spend around £100,000 on Surface Pro’s for employees. After they had been extremely locked down they were given out to some higher up employees. Many were found to be broken but all of them were so locked down by the IT department that they were almost unusable as no application could be downloaded and they were extremely limited to what they were actually able to do, now they are left spending more money on repairs for hardware that most of the staff team will end up not using or breaking due to lack of experience. A
  117.  
  118. Existing Security Policies used in Hull College (D2)
  119.  
  120. Introduction
  121. This section of the document will cover the existing security policies and guidelines in Hull College. There will be an explanation of each individual policy, showing exactly what each do and why they are uniquely important to helping the college. If employees do not follow these they can be punished, depending on the severity of the offence will decide upon the punishment. The policies are looked over every two years or so, unless there is a major change which requires immediate attention and action. To conclude there will be a final examination to decide on how efficient they are and what the experience is like for the end users.
  122. Acceptable Use Policy
  123. The first policy that is going to be explained is the acceptable use policy, this refers to the underpinning commitment of the college to ICT security and data compliance. It is important that all the students and member of staff are aware of this policy as it ensures that they are aware of what is acceptable and they are responsible. The equipment provided to the college should only be used for work related purposes, this policy outlines the inappropriate use and will revoke access to the user while an investigation is completed to determine what disciplinary action should be taken.
  124. Hull College own all the computer systems, they are only there to assist and improve the performance of the work. This means that the college have the right to monitor everything the employees and students do with it. There are regular sweeps of the ICT systems, such as the Internet activity logs to check for any inappropriate files or websites. This is because employees in some organisations have been known to view pornographic videos or images which is strictly prohibited, so monitoring the systems will prevent it from being accessed. This can also help to determine which websites are time wasters and have them blocked from the network to improve productivity within the college.
  125. There are many things which this policy marks as being unacceptable by the college, any activity that is considered unlawful isn’t permitted. Any transmission of offensive or obscene images, data, or material is unacceptable, along with transmission of any material which might be considered an annoyance. The same goes for material which infringes the copyright of another person. Any deliberate access to facilities which the student or employee wouldn’t usually be able to access or any other reckless activity will be unacceptable. If someone purposely corrupts, distributes, or takes other user’s data without permission is not allowed, especially if it is accessed by violating the privacy of another user.
  126. The acceptable use policy contains a bulk of information stating exactly what is not acceptable; it is very informative and only focuses unacceptable behaviour on the ICT systems. Although it is essential that everyone should read the policy most of the information is common sense so if the students and employees think carefully about their actions there shouldn’t be any problems.
  127. This policy is very efficient as everything the students and employees do is monitored so there’s always evidence to back up claims of unacceptable use of the systems. This however doesn’t leave a great experience for the end users, from personal experience I can say that the systems are slow and locked down. This is positive in some situations but a lot of software that is easy and safe to install can’t be done by the lecturers or students, it needs to be requested and then one technician goes onto each machine and installs the software. That process is in no way efficient and wastes a lot of the student’s time as they need to wait for the process to be complete before they can move on with their studies. Some websites that are generally informatic are blocked because IT services believe they are inappropriate. I would say that this policy is helpful and the security measures are worth it but there should be some alteration as the end user experience is terrible.
  128. Password Policy
  129. This password policy refers to the commitment to data security by the college. If other students or employees figure out the password to another users account, it leaves all their data at risk. The default passwords given to students won’t be the same as other students as it will be unique to them, usually done by using their birthday, but should be changed as soon as possible to prevent other people from logging into their account with the default credentials. Everyone needs to ensure they have strong passwords, this is at least eight alphanumeric characters, contain both upper and lower case characters, with digits or punctuation. They shouldn’t be easily guessable so shouldn’t contain the users name, birthday, or anything regarding the person.
  130. The systems alert students every 90 days requiring them to change their password, and if they do not their details will expire. They can either go to an employee to have their password reset or they can use the self-service password reset feature by answering security questions which are set by them upon first login. No password should be shared over the phone or through email, if emails are being monitored or someone hears the student speaking on the phone their password will be known which leaves their data at risk.
  131. This policy advises the students and employees to never use the “Remember Password” feature on websites they use, if a computer is left unattended and logged in this could be used to gain the users password. It is also advised that the passwords used for their college login aren’t used for anything else, so people can’t use it to access emails, or any other site which they are registered at.
  132. This policy is very efficient and through personal experience I can say that it is extremely helpful, it reminds the students to change their passwords every so often to keep their data secure and is extremely simple to work with if a password is forgotten due to the self-service password reset. There aren’t any negatives on the end users side and all of the security measures are worth it. These measures don’t cause huge strains on the systems so don’t make a difference on the speed like some of the other policies do.
  133. Email Policy
  134. The email policy refers to Hull College’s commitment to data security, this policy is in place to provide guidance to what is useful for the purpose of sending or receiving email messages and attachments while using the college’s hardware, software, or network. This can also refer to any person emailing whilst using their own device when connected to the WIFI that Hull College provides. This applies to all the employees, students, guests, contractors, consultants, visitors, with no exceptions. This is in place to ensure the email service on the network isn’t use inappropriately or with the intent to commit a crime.
  135. The email policy is very efficient in Hull College as it gives them the right to monitor and in some cases, record email messages going in and out of the college. There is checks to prevent or detect crime, investigate unauthorised use, and to ensure employees are effectively using the email service the college provides. There will be a lot of emails going through the network which is why there is an automatic message monitoring, filtering, and rejecting system that will deny a user to send or receive certain content that has been picked up by the system.
  136. As explained in the policy only designated members of the ICT team are able to monitor the email systems with approval from a member of the director of innovation and technology. There is however a disclaimer with emails containing sensitive material to ensure that the receiver of the information keeps it confidential or legal action can be taken. The policy also points out that the email service should not be used to disrupt or corrupt other user’s data, and that the activities used on the service should no waste the employee’s effort or networked resources.
  137.  
  138.  
  139. As previously stated this is a very efficient policy and clearly defines what is permitted and what isn’t, and what is especially useful about it is that complaints to the ICT team are taken very seriously so any student or employee caught using the email service to send damaging or offensive messages to attack another employee or student will face disciplinary. The monitoring prevents ton of problems such as malicious or offensive messages due to messages being denied if they contain prohibited words.
  140. There are many advantages or this policy and the service the college provides when it comes to emailing but it does affect the end users experience. Some emails are prevented from being sent due to them being rejected by the monitoring system when in fact there is nothing offensive or wrong with them at all, but a word like “Scunthorpe” contains a word within it that the filter detects and blocks. Although it is just a place and nothing more it prevents any students or employees from sending emails with that mentioned, along with others. It also slows down the system due to the large amounts of traffic and monitoring the college does but in my opinion is very worth it as it prevents a lot of damage and unacceptable use.
  141. Internet Policy
  142. This policy refers to Hull College’s commitment to ICT security compliance when it comes to using the Internet. Although there is a huge advantage of using the Internet to teach or learn there are risks that could damage the college or its reputation. It can also expose the employees and students if it is not carefully managed. This policy ensures that the college had protected the users from external intrusion the best they can and that all of the college’s images or property is correctly protected. All of the employees, students, or guests will be monitored to ensure there is no misuse. This policy is in place, like many others, to ensure that this privilege is not abused, and is only there to provide supports to the staff and students which require it as the Internet is very effective when it comes to education.
  143. All of the students, employees, and guests are responsible for what they do whilst using the Internet Hull College provides. This policy explains that users should only access the Internet if they have been given authorisation and should only use credentials they are provided at the start of the year. It is strictly prohibited to give out your details or to use another person’s as what happens under a user’s ID becomes their responsibility and will be punished for any inappropriate or unacceptable use.
  144. This policy like the email policy is very efficient due to the monitoring system, users have been known in some organisations to view pornographic images or videos while at work or school and this prevents them from doing so, if there is a certain percentage of skin detected on a screen someone is alerted to what content the page provides. Although there are many other websites and activities which are prohibited while using the Internet provided by Hull College.
  145. The instruction on criminal or terrorist skills isn’t allowed, along with racial hatred, promotion of cults, gambling, and statements/content which cause offence to others. If a website is accessed accidentally the users can hit the back button immediately and have no consequence but if it is intentional they will be subject to disciplinary.
  146. As previously stated I believe this policy is very efficient in protecting the college as it clearly outlines what can and can’t be accessed while using the Internet at Hull College. All of the content is monitored and doesn’t massively slow down the browsing for users although there is the occasional error, so the end experience isn’t really affected. The security measures in place for this policy are very worth it and are beneficial in protecting the college, and the users who use the Internet.
  147. Information Security Policy
  148. The information security policy refers to Hull College’s commitment to data security, this policy seeks to provide a secure working environment for the students and employees. There is always information available when required and if they are granted access they are free to use it, it is also safeguarded to ensure it is up-to-date and is at the approved version to give the students/staff the most informing and correct content possible. The college assets are secured from loss/theft, fraud, damage caused to them, and breach of privacy.
  149. This policy ensures that the information accessed at Hull College is used correctly by the staff, students, and any of the guests. The acceptable uses of information are teaching/learning, research, personal development, administration, and management for the college. As previously stated in this document there are laws in place to secure information and this is the policy which enforces them and ensures all the employees and students are aware of what is acceptable and what isn’t when it comes to information and limits the material provided by Hull College to those who are enrolled or have a contract with the college.
  150. Information doesn’t just need software to protect the systems from being attacked from external intruders and must put physical security procedures in place to protect the servers and the information stored on the systems. This policy also ensures that the equipment is properly secured against theft and damage at a cost-effective level. Meaning that they have secured their systems and have done it as efficiently as possible without spending more money than necessary.
  151. In this policy, it is also outlined that the director of innovation and technology is responsible for many of the security procedures, it is their job to secure the integrity of data and cold help on the systems and common access computers, as well as integrity of network data systems accessed by authorised personnel. It is also their job to ensure that data stored on systems and open to students is appropriate and everything is effectively backed up with up to data virus scanning programs to secure all computers and the information stored on it.
  152. Through personal experience on the systems I can say that the security measures outlined in this policy are very useful and do a pretty good job in keeping a lot of the data up to date but there have been unit specifications found with very outdated information which require updates. The end user experience isn’t massively affected and are provided with all the information they may need while also removing and blocking any offensive/inappropriate information that may have been saved to a machine. This policy is worth the security measures but could do with some updating as students do need to have all information updated, especially if it is publicly on Moodle explaining one of the units the college provides.
  153. Removable Media Policy
  154. The removable media policy is in place to ensure that the use of removable media devices to store and transfer information by all users, employees, and guests who may have access to the systems and ICT equipment is correctly used, does not misuse any confidential information, and isn’t taken off the premises without authorisation as these tend to cause problems for organisations when information starts going missing. There are large risks when sensitive or personal information is stored on removable media devices as it could easily be lost or stolen and leave what was stored vulnerable, so unless employees have been granted permission to store on devices such as external hard drives, USB’s or CD’s then it must stay on the premises on the secured systems.
  155. The security of data is at risk when removable media is used with data from the college, if the data is moved through devices which were previously stated, and the users remove them before it has successfully transferred could leave the files corrupted or damage beyond repair, meaning that someone would have to re-create the information which wastes the time. To ensure these don’t happen this policy informs each individual employee that they are solely responsible for their actions and will be punished if they aren’t careful with the devices and the information so nothing is compromised.
  156. If a USB stick containing sensitive material is stolen by someone while it is being transferred from one location to another that data will be visible to the thief, if it contains personal information such as financial information then it would leave the college at risk of having a law suit filed against them as fraud or identity theft could be committed by the criminal because the college didn’t go out of their way to protect it. The removable media policy outlines that the devices should have encrypted so if they are lost or stolen then no one can view what data is stored on them.
  157. In my opinion this policy is fair and the measures in place to ensure that all the data that is transferred by removable media are worth the effort as it doesn’t affect the end users experience, it just informs the employees to ensure that the devices are protected, and are handled with care to keep them as safe as possible.
  158. Laptop and Mobile Device Policy
  159. The laptop and mobile device policy refers to the stand alone devices which are brought in by employees and the security measures which the college is enforcing. This is to ensure that the systems which are brought in are not exploited by someone to gain access to sensitive or personal information which is stored on the network and would usually be more difficult to access. All systems have their own vulnerabilities, phones and computers, so it is crucial that they are protected as best as possible.
  160. The owners of the computers or phones brought in are solely responsible for what happens on them and the security they have in place to protect other people from accessing information they have stored on the devices. This policy ensures that any sensitive information stored on the devices must be encrypted and the device password protected, with a strong password so it is not easily guessed. It also ensures that removable media such as USB sticks that they may use to transfer the information to their computer is also encrypted and managed correctly.
  161. This policy outlines the problem that data is regularly updated on the college network and the systems but for the stand alone machines they bring in, they are required to back up the information themselves as anything could happen and corrupt/damage the data they possess. The employees are reminded of the basic risks and the responsibilities they have when using their device that they should lock their systems when leaving them for a short period of time, that the passwords aren’t saved, and that the passwords they use are strong with mixed capitalisation, symbols, and numbers.
  162. In my opinion this policy doesn’t require the employees to put any extra effort into securing their systems and the information, it is basic knowledge that all of them should know and is very informative to educate people with lack of experience or knowledge with technology or security of devices. The security measures that this policy enforces are very worth it and minimize a lot of risk; they also do not affect the users experience at the college.
  163. Network Security Policy
  164. The network security policy refers to the underpinning commitment by the college to the networks security, it ensures that it is correctly secured and the integrity is preserved to keep the network available for all of the users, to ensure that only authorised users access it, and that it is protected from unauthorised or accidental modification to ensure accuracy and completeness of the assets and information the college stores. Every student or employee is provided with a unique ID and a password when they first join the college, those credentials are what give authorisation to access the network.
  165.  
  166. Some of the risks of a network contain confidential information is that the equipment could be stolen in order for someone to try gain access, due to them being locked out with the current system so this policy enforces physical and environmental security measures to protect the sensitive network equipment. It is kept in a controlled and secure place, and the only way to gain access is with a key card which only authorised personnel will be able to use. There are other measures in place such as smoke alarms and CO2 fire extinguishers nearby to prepare for any disaster. This policy ensures that the entrances and exits of the server room and the building are monitored to track everyone. Although the security measures in place are somewhat high tech, the college is trying to be as cost-efficient as possible.
  167. The network security policy has guaranteed that all the users of the network are to be provided with guidance on properly using and securing their accounts and equipment, as well as informing them of their responsibilities regarding their credentials. If a student is to leave the college or their course ends their user account will be disabled on the night of, but will be deleted 180 days after. Disabling the account will prevent intruder from using the account to access the network without proper authorisation.
  168. This policy outlines the different responsibilities of the employees regarding the networks security and how it is to be resolved. For example, it is the responsibility of the helpdesk to log all of the faults that have been detected on the network are taken and are reviewed, and it is the ICT services network teams responsibility to ensure that there are backup copies of the network configuration and user data so if there ever was an accident and data is lost from the network it can be recovered and minimal data will actually be lost, if any at all.
  169. In my opinion this policy is very well explained and provides various security measures in order to properly secure user accounts, the various networks the college provides, and the physical equipment. The measures are as cost-efficient as possible which isn’t a problem, and although the network room and building is secure it doesn’t require much man power but does require a lot of equipment to monitor and protect it.
  170. Access Control and Account Management Policy
  171. The access control and account management policy refers to the systems in place at Hull College which setup the user accounts for the employees, students, and third parties with the minimum of a user ID and password authorisation, the ID’s are unique to each individual and are used to link and make the users responsible for their actions if they break rules whilst using the colleges services. This policy also controls what accounts have access to what kind of information and what each of them do, the students and employees will be able to access very different things.
  172.  
  173. This policy outlines the default standard level of access for all the new starters and the tools in which can be used by administrators to enhance access for certain individuals. Only ICT personnel have administrator rights to the ICT systems but the other systems on the network are limited to the employees who require access to them to do their job. When users are first given their credentials, they have a readymade password, it will be unique to them but easily guessable by others which is why everyone is required to change their password immediately but sometimes people can forget what they change it to. The ICT helpdesk is authorised to issue replacement password if the self-service fails the user.
  174. As I have previously stated, once an employee or student leaves the college their user accounts will be revoked, they will still be in the system but no one will be able to use them. It is Human Resources job to ensure that ICT services are informed of all users who leave to revoke access to the user accounts. If this policy isn’t followed it can leave Hull College at risk as an employee could gain access to a system without proper authorisation and cause damage. The system could become exposed to malware or have files corrupted or stolen which breaches confidentiality due to sensitive information being stored on the colleges system.
  175. In my opinion this is policy is very important in the context of securing user accounts and limiting what each can access and do. This policy ensures that different departments are responsible for different things which are each important to the college, this is very efficient as it lowers the risk of an employee abusing their level of access as they are all limited to what they can access. Although the procedures assist the security of the users and the information on the systems it does affect the end users experience in quite a negative way. All of the systems are locked down so they are only useable for basic things and have absolutely no custom ability for the employees and students, in my opinion this is a very important policy but should be altered so they can be used as efficiently as possible without the need to go through chain of command to get a simple program downloaded.
  176. Backup Recovery and Data Storage Management Policy
  177. This policy refers to the procedures that Hull College has in place in order to properly manage and protect their data, as well as the methods they have in place to recover any information that may have been lost. As technology advances, so do organisations. Most paperwork is made digitized as it is must easier to send, edit, and write. Although there are many advantages to having digital files at Hull College there are also downfalls, it opens the risk of attacks and data loss from system errors or mistakes.
  178. This policy ensures that all data that is stored on the college network is backed up offsite so if anything happens they are able to recover anything that was lost. ICT services are in charge or providing guidance to anyone who is unsure on data storage requirements. The policy specifically states that all over the world the amount of electronic data that is stored is continuously growing, just as it is at Hull College.
  179. These organisations are required to keep large amounts of data, even if it is just archived so it is very important that they are stored safely as some of these files can take large amounts of time to re-create if that is possible at all.
  180. This policy is nothing but helpful, if the facts that were outlined weren’t told to the employees and students then it is very easy for them to lose data. Due to person experience this policy has educated lecturers which now inform the students to back up their own college work onto the cloud or home computers so if anything is corrupted they have another copy elsewhere. These measures are very worth it and do not cause any negative experience for the end users. As explained by the IT department the backups are done overnight so while everyone is at home the college network is backing up the day’s work onto an offsite facility.
  181. Conclusion
  182. This document has clearly outlined some of the threats that organisations are forced to face and what policies they have in place in order to properly protect them or at best minimize the risk as much as possible. Furthermore, there has been a discussion on employer contracts and how the processes which are in place to properly find an employee and what measures are in place to ensure they do not breach any of the policies or security of the organisation. There has also been an in-depth explanation to the different laws regarding the protection of data, user’s computers, and original work. Finally, there was an in-depth evaluation of many of the policies currently in use at Hull College, outlining the positives, negatives, and how they all affect the end users experience.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!