Malicious and Accidental Damage

Security of data means keeping data safe from accidental damage or malicious damage.

Privacy of data means only allowing authorised users to access the data.

Data integrity is the correctness of data both during and after processing.

Malicious damage is damage caused intentionally to data. This could be someone deliberately altering data for their own gain, or to cause harm to the organisation who own the data. Examples are hackers who steal bank account details, or people who send viruses through emails to cause damage to data or systems.

Accidental damage is damage caused without intent – where the person may be unaware of the consequences of their action. Examples of accidental damage are users deleting records or files unintentionally, or amending data without checking their new entries.

Consequences of malicious and accidental damage to information systems. Organisations can suffer losses of money, goods or information through computer crime and malpractice. Using a company’s IT system, payments could be diverted fraudulently into false accounts; goods could be delivered to an unauthorised destination; files or databases could be misused or copied and sold; and vandalism could destroy or corrupt data.

Weak points in IT systems

Hardware, software and human beings can all constitute weak points in an IT system. Laptops with access to networks can be a risk, as can lack of security (such as passwords) at user workstations. Data stored off-line can be vulnerable to theft and viruses can corrupt or destroy files. The human element can be hackers, outsiders or an organisation’s own staff – such as disgruntled or dishonest employees.

Internal Threats • Own staff • Theft • Vandalism • Unintentional damage – accidentally introduce a virus • Accidentally corrupt data

External Threats • Natural disasters – fire, flood, power failure • Hacking • Theft of data

Security measures that can be taken may use either physical or software methods.

Physical methods include: • Locks on workstation, keyboards or keycards • Locking doors to computer rooms • Positioning screens so that visitors are not able to see their contents • Logging off when leaving the computer unattended • Vetting visitors to computer rooms • Biometric passwords or access devices such as finger print, voice or iris recognition. • Removal and safe storage of disks and other backing storage media. • Fire and burglar alarms • Uninterruptable power supplies to prevent loss of data if the power supply fails

Software methods include: • Using passwords to ensure users are authorized. Passwords are: linked to a specific user ID; only be known to that user; made up of a mixture of letters and numbers, be difficult to guess, changed regularly, never written down or shared with anyone else. • Limiting the range of tasks that can be carried out at a particular workstation • Setting access rights which restrict the type of access to the file (e.g. read only, read/write, full access, no access). • Using firewalls to restrict access by external users over communication lines. • Encrypting stored data so that it would not make sense to anyone other than the person with the decryption key (the authorised user). • Within a software package, functions could be to lock fields and records, or to use an audible sound when data is being changed.

Internet Issues

Currently the internet is not well regulated – it is only controlled or supervised on a partial basis by some institutions. This means that people may stumble innocently across sites that contain offensive, racist, pornographic, propaganda, criminal or other harmful material.

There may also be hidden dangers, such as communicating with strangers in chat rooms, who may not be who they say they are. Disclosing personal information such as your name, address, telephone and email details can lead to harassment.

Backup Systems

Organisations should have a clear, well-organised backup strategy. The main factors that need to be taken into account are: • Medium – such as magnetic tape, CD-R/W, tape cartridge, zip drive • Location – where the medium should be stored, e.g. off site in a fire proof safe • Type – full (all data and programs) or incremental (only data changed since last backup) • Timing – what time of the day e.g. at the end of the working data, at the end of the morning shift, at the end of the week. • Frequency – every day, every week • Testing – the backup needs to be tested to ensure that it is possible to recover data from it. • Recovery procedure – this procedure needs to be clearly set out for all staff to follow.

An example of a suitable backup procedure for a student working on a project both at school and at home would be: • Take a copy • On to a memory stick or CD/RW • On a regular basis (at the end of each lesson or period at home) • Keep another copy in a safe place at home • And test to ensure that both copies work at home and at school

Suitable mediums for backing up data are: • Floppy disk – small file only • CD-R/W for large sized files (graphics and sound) • Memory sticks – for large sized files • Magnetic tape – for very large files, long term storage

Recovery Procedures

• Retrieve the backup copy from the safe location • Ensure the computer and it’s storage area are cleared of all faults • Load the medium onto a suitable device (disk drive, tape drive) • Copy the data from the backup file on to the main data storage area • Test to ensure the data has been successfully recovered

Data Protection Legislation

Computer data are potential more dangerous than paper documents because: • Data can be retrieved electronically from a computer anywhere in the world • Data can be searched very quickly to find patterns that are not obvious but that could be potentially damaging or embarrassing. • Data from a range of computers can be combined, so apparently unrelated data can produce damaging information.

The Data Protection Act 1984 and 1988 protects individuals from unreasonable use of their stored personal data. The act also controls what data is stored, the length of time of storage, and to whom the data may be passed on to.

Organisations who store personal data must appoint a data controller to be responsible for the uses made of the data. They are required to notify the Information Commissioner the details about the data they hold for the data protection register. It is a legal requirement for an organisation to apply for entry on to the Data Protection Register. A data subject is a living, identifiable human being about whom data is held.

The 8 principles of the Data Protection Act are: 1. Personal data shall be processed fairly and lawfully 2. Personal data shall be obtained only for one or more specified and lawful purposes 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed 4. Personal data should be accurate and where necessary, kept up to date 5. Personal data shall not be kept for longer than is necessary for the purpose 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Security measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of personal data. 8. personal data shall not be transferred to a country outside the European Community, unless that country has an adequate level of protection

Exemptions from the Act

All data users have to register with and pay a fee to the office of the Data Protection Commissioner, unless they are covered by one or more of a number of exemptions, including data that is: • for personal, family or recreational purposes • for the processing of information relating to wages, pensions, accounts etc; • being held in the interests of national security or for the prevention of crime; • being used for statistical or research purposes; • being used for the processing of mail-merged documents;

The Freedom of Information Act

This act was passed in 2000 but didn’t come into full effect until January 2005. This act gives individuals and organisations the right to request the official information which are held by over 100,000 generical public bodies.

• Some of these bodies include: • State schools, colleges and universities • Police forces and prison services • National archives

This information can include things such as emails, reports and minutes of meetings, and applies to all information held. Requesting information Anyone, anywhere in the world can send a request to see the information. You need to send a letter, fax or email to the relevant organisation. You do not have to explain why you want to see the information. The organisation must say whether or not it holds the information, and if it does, it must provide it within 20 working days.


Public authorities can refuse if: • The data is protected under the Data Protection Act • The request is just to cause disruption or annoyance • A similar request has been made in the past • The cost of supplying is too high

Benefits of the Act

News reporters are able to gather more in depth information, and the Act has led to a much more open society where people can be confident that things aren’t being hidden.

Problems with the Act

This act can impose a large cost on public bodies, and a huge increase in their workload. Many requests are made simply out of curiosity or to cause annoyance. If a business has a contract with a public body then details of that contract and business terms can be made publically available. This can give an unfair advantage to other firms who plan on tendering for a new contract in the future.

Computer Science

QR Code
QR Code alevel_computing_privicy (generated for current page)