Chloe Howlett Assessment 2c 11/10/2010

Chloe Howlett Assessment 2c 11/10/2010

Assignment 2c – Risk Assessment

Introduction

In this assignment I will be writing about the potential threats to customer data. I will be carrying out
a risk assessment and investigating potential threats to the customer data that is collected via the
web, I will also be evaluating the effectiveness of the measures and legislation to protect this data. I
will be writing the risk assessment in a report format.

The main things I will be focusing on are a description of the potential threats to customer data
collected by organisations via their websites, what measures I and other computer users can take to
alleviate these threats away from the computer systems. Also, what legislation can be used to
protect the customers’ data? Finally I will be writing a conclusion about the effectiveness of the
measures and legislation.

Threats to data

The potential threats to the customer data are a vast variety. They are separated into 4 groups;
these are environmental threats, human threats, internal threats and external threats. These 4
categories of threats are all of the same measurement of risk, as you should not treat one with less
protection than the other.

The environmental threats to the customer data could be Earthquakes, Hurricanes, Power
cut/power outage Lightning and Floods. These are all potential risks that could happen to the
customers’ data but however, they are highly unlikely to happen in most areas. We still treat these
with the same amount of protection, but focus more on the risks that are more likely to happen to
the data. The human threats that could happen to the customer data could be carelessness by
humans by spilling drinks or getting other corrosive product on the keyboard or other parts. Also,
other humans sending viruses to other computers via e-mail to corrupt or damage the customers’
data so it is unable to be opened or used.

The other risk could be that other businesses/humans stealing the data for their own illegal personal
use i.e. when you get sales phone calls from home by illegal data being passed on. Also, accidentally
deleting the files by general human error could happen and this could be critical if the data is very
important or needed urgently. The final 2 are corrupted/damaged disks that have been used to
transport the data from computer system to computer system and corrupting the file and not having
a copy. The final one is hackers – these people are able to break into computers by password
breaking and then copying the file and deleting it off your computer system and using it for their
own use or sending it on to other people.
Chloe Howlett Assessment 2c 11/10/2010

The external threats that have been mentioned above are hackers as these people come from
outside the company trying to get the data, other companies wanting the data for their own use for
sales etc. and finally, power failure in your area if there is bad weather and you have not saved your
documents, or if it very bad weather, the data could be corrupted on the server. The internal threats
could be that the server or computers could be wired up incorrectly and all the data that has been
saved could corrupt at any moment as the wires are all in the wrong place, or it could be that the
documents just won’t save at all if the server is wired up very badly. The second threat could be that
there could be hardware or software problems in either the server, computer machinery, or just
generally in the instalment of the computer software e.g. it could have been corrupted whilst
installing and damaged. The final internal threat could be that there could be an employee hacker in
the workplace trying to get hold of the data to pass it on to other companies for their benefit.

What measures can be taken to alleviate these threats?

The measures that can be taken to alleviate these threats are that firstly, for the physical security
they could use barbed wire around the perimeter of the building to keep the data protected from
any outsiders trying to get in. They could also use locked doors and card access to actually get inside
the building, and use several locked doors for the room with the server inside to keep the customers
data secure enough. There could also be CCTV cameras in all areas of the building and outside in
case anyone determined enough attempted to enter the perimeter. Separate networks could also be
used as this separates the customer data from all the other information through the system.

The procedural security that could be used to alleviate these potential threats are that the company
could have policies about downloading software onto the system as this could bring viruses into the
computer system and could corrupt all the data and the server if it is not spotted at the time. Back
up’s of all the data so that if one system does go down, then there are different copies elsewhere to
be used. The back up’s should also be kept in a fire safe room in case anything does happen to the
building. Disk mirroring is also a good idea as it keeps a copy elsewhere and keeps it secure.

The electronic security that could alleviate these threats are that a username and password could be
used for each individual to log on to each computer system to protect all the data, but it must be a
complicated enough username and password for it not to be broken easily. Firewalls could also be
used as these protect other potential harmful threats getting into your system via the internet when
you are online and disguising themselves as other things. The computer administrator should also
scan all the systems to check for any vulnerability in the system i.e. firewalls down, virus scanner not
working. The next thing could be is make sure that there is anti-virus software on all the computer
systems and scans are done daily to check for any harmful threat. The final one is encryption – this is
where if data is passed on to another computer, it is encrypted, and for people to be able to read it
you will need the encryption code which only the other person has at the other end.
Chloe Howlett Assessment 2c 11/10/2010

The final part is human security, this could alleviate threats by the admin should give other users of
the computer system tips about what a good username and password is so it will make the hacker
harder to crack the code, and could be found out earlier. Program updates could also be done i.e.
windows updates to make sure you have the highest amount of protection as possible for the
computer systems. Basic common sense is also a good idea as it is needed in everyday life if
something goes wrong or you don’t understand how to do something. Also, educating the users of
the computers is necessary to make sure that they know what they are doing and what threats to
look out for if they receive anything suspicious. Finally, people need to encrypt their data when it is
necessary i.e. bank details, address when buying a product online.

What legislation can be used to protect customer data?

The legislation that can be taken to protect the customer data is the Data Protection Act. The data
protection act was brought in 1998 and it is a UK Act of Parliament which defines the UK law on the
processing of data on identifiable living people. It is the main piece of legislation that governs the
protection of personal data in the UK. Although the Act itself does not mention privacy, it was
enacted to bring UK law into line with the European Directive of 1995 which required Member
States to protect people's rights and freedoms and in particular their right to privacy with respect to
the processing of personal data. In practice it provides a way for individuals to control information
about themselves. Most of the Act does not apply to domestic use, for example keeping a personal
address book. Anyone holding personal data for other purposes is legally obliged to comply with this
Act, subject to some exemptions. The Act defines eight data protection principles. These priciples
are:

Data protection Act

The information that you have must be kept safe and secure so that there is no threat to people
stealing the data.
You cannot give the data away or sell it unless you said you would to begin with
It must be held and used for the reasons given to the information commissioner only
It must be accurate and be kept up to date. it must be kept up to date if, for example, an address
changes when people move
It must be collected and used fairly inside the law
The data can only be used for the purpose that you said you would to begin with and only given
to those said to begin with as well.
The information that is being held must be enough, relevant and not too much when compared
with the purpose stated in the register. You must have enough detail but not too much for the
job that you are doing
The personal data cannot be kept for longer than is necessary for that purpose or those
purposes.
Chloe Howlett Assessment 2c 11/10/2010

Conclusion

In this conclusion I will be writing about the effectiveness of the measures and legislation taken.
Firstly, the effectiveness of the measures that I took to protect the customers’ data was the physical,
electronically, procedural and human security. I think that the effectiveness of these measures when
they have been put into place properly would work quite well. Mainly because they are separated
into 4 different parts so that people will be able to understand them as they have been broken
down, secondly that the measures are well thought through for each different section on the list.
Also, if these measures are made sure they are put into place then I am very certain that the data
will stay very secure, but the company also has to think about the cost of all the protection measures
that they have taken and will it affect the profit making in the business. To make sure that the
customers’ data is secure is that you should always follow this rule – the network is only as strong as
the weakest point. I.e. if there was not protection on one of the systems then it could affect all the
others then they would be as weak at that system.

The legislation that has been taken is the Data Protection Act, the effectiveness of this is very high as
it is a law that all businesses have to follow and someone makes sure you have put the data
protection act into place if you are a company like Topshop who hold personal details of people,
sometimes there is a tick box to tick if you want you details being passed on, there is a law that this
must be put onto the document that you are signing for as if your data gets passed on and you didn’t
confirm, this is against the DPA. Overall I think that the effectives of each of these things are very
effective and if made sure are put into place, the business would stay very successful as it would be
very trusted.