Introduction
Central Foundation Boys’ School will need
to take measures in order to prevent any threat to the organizational systems
security. There are guidelines which the staff must be aware of these
guidelines so there needs to be a ways to train new staffs about the
organizational systems security at Central Foundation Boys’ School.
This report consists of five task which
link together in the evaluation task at the end of the document.
P4 – Explain the policies and guidelines
for managing organizational IT security issues.
P5 – Explain how employment contracts can
affect security
P6 – Review the laws related to security
and privacy of data
M3 – Explain the role of ethical decision
making in organizational IT security
D2 – Evaluate the security policies used in
an organization
There is no official written policy, for
Central Foundation Boys’ School that has been handed to us to aid us in this
task of organizational systems security; so this was written alongside the
research from my teacher, who may have had some knowledge of the policies in a
discussion with the class.
IT Security Polices and Guidelines
Disaster Recovery Polices
Disaster can be the cause of, the list of
disasters below:-Natural disaster -Fire -Power Failure -Terrorist attacks -Organised or deliberate disruption -System and/or equipment failures -Human error -Computer virus -Legal issues -worker strikes -loss of key personnel
The disaster are most likely going to happen if the situation is not taken care of. So a company might have staffs working on how to prevent these disasters, detect one and correct the disaster if the disaster happens again. Below are the description of what each method is:
1. Preventive measures – Controls aimed at preventing an event from occurring.
2. Detective measures – Controls aimed at detecting or discovering unwanted events.
3. Corrective measures – Controls aimed at correcting or restoring the system after a disaster or an event.
Disaster Recovery polices is made to prevent any data from getting lost. Safety precautions are made for many scenarios that might possibly happen. Companies and organizations have disaster recovery test (DR test) to see if there plans to prevent a loss in data.
Every company or organization has a policy regarding the disaster recovery procedure; and each company has their own unique way of dealing with the situation.
The policy that needs to be considered are insurance for the aftermath, backup in another site, additional equipment to replace the damage ones. Central Foundation Boys' School will have a backed up server; which holds the data of every account in the school and not off-site.
Updating of Security Procedure and
Scheduling of Security Audits
The security of any company, organization,
school and even at home is essential to upgrade. A dictionary, which comes with
anti-virus software’s, constantly searches for virus fingerprint and the method
of getting rid of the virus. Another possible updating of a security procedure
is renewing passwords every now and again. This prevents hackers from accessing
the account again with same password.Predetermined updates should be made on a daily basis. Having a review, on the strength of the organization, will benefit the person to have a suitable update. Before the update is shared amongst the network, the update should be tested out on one or two system before it is distributed; this is done to ensure the safety of the computer systems.
A security audit is used to check the strength of the company’s security measures. An IT specialist is scheduled to go to the company or organization to test certain things, they give a report or an idea of how the security currently works; and possibly advise them as to how they could improve the security.
Some companies hire, what we call "hackers", to infiltrate the system so the company knows where the weak point of the company is; this can then be analysed and dealt with to ensure that no similar problems occurs in the future.
Central Foundation Boys' School have recently hired someone to look at the system to check the IT system in the school; however, the main reason was because there was IT technician in the school, so the school had to outsource an IT technician; which proven to be expensive, so they made sure to find an IT technician, which they have.
Codes of Conduct
In every case, there are security polices when using PC’s in an IT suite in a university or at school. Shops, contractors, employees and student etc. are those who are obliged to follow the code of conduct after it has been signed; this is a responsibility put on the one who has signed the paper. Any code broken can result to exclusion, being fired at work, in worst cases, dealt with in court and given some sort of punishment.
A code of conduct can cover the matters of internet usage, email usage and account management policy; for example not sharing account passwords. Central Foundation Boys' School has rules about not giving or telling your password to anyone, keeping your data hidden from others, except your teachers; to avoid plagiarism and to use the account for the right purpose; that is educational purpose. Telling someone your password, can get the person and yourself in trouble.
Surveillance Polices
Surveillance and monitoring is used to have some sort of security measures for hallways, entrances and fire exits and even computers etc. but this can cause some distress between the workforces. No one wants to be spied on in the company, when working because it’s an evasion of private space; someone should be able to work without the feeling of being watched.
When employing someone; there should be an introduction to fire emergency procedures, were they are not allowed to go and the existing security in the building in the company. Not everyone is trustworthy but using monitoring tech and code of conduct will limit the possible act of theft, fraud or trespassing.
So in short terms, the security system must be well defined and agreed upon by the employer. If a new security system is being put in place then the workforce has a right to know; or there might be a risk of strike and union.
Central Foundation Boys’ School has a monitoring
tool called Impero WorkStation for every teacher and IT technician to monitor
any computer on the local network in the school. This mostly done for
educational purposes like making sure that the student does bypass any
prohibited sites and stopping from using the computers when the teacher is
teaching or speaking at the front of the class.
Risk Management
A good organization or company will plan ahead of any future risks that might possibly occur. A strong company must be able to have alternatives routes and equipment if anything happens. Depending on the type of risk, a company might wish to:
* go along with the risk; for example if a competitor is developing the same sort of product, then you will carry on with your project.
* Let the risk escalate but start investing in alternative routes
* Get rid of the risk as soon as possible
Central Foundation Boys' School focuses more on backing up data than looking into other ways of reducing the risk of any future problems. Some of the alternative or methods, to reduce faults form occurring, is dealt by the Government or the Governors of the school, along with the head teacher.
Budget Setting
The organization needs to be maintained at an acceptable level; and depending on the publicity of the company, you may need to pay a lot more than a normal organization, in terms of security and reviewing.
Some may need to consider:
1. replacing an equipment with a better type
2. the cost of hiring each audit
3. the license for software's
4. training each staff
5. staff waged
6. and any support that needs to be put in place
The budgets of any school is limited. The school cannot buy new equipment because it is not affordable for some schools, however, if the school plans on what to spend the budget on then there can afford an upgrade for any software or hardware.
Recently, in Central Foundation Boys’ School, the computers have been upgraded from an i3 Intel core computers and Intel Celeron, to an Intel core i5; which makes things faster because of the ability to multi-task; especially when using Adobe files which take a lot of processing power to run. However, the computers were bought only for one room because of the available budget they had; but this means that any class, which wants to use a faster computer, can book the room, if the room is free.
Employment Contracts and Security
Hiring policy
When the company is recruiting or promoting an employee, the employer must follow the hiring policy. This is to have a background check on the person, on criminal record and their previous employment; this will give them a good understanding of their work attitude. This might not be helpful in any case; some employers organize an interview to see the employee.
Some companies do not do any interview, but instead have a probation period if the employee has any criminal history or just in general to see their work ethics and procedure of doing something. After the probation period, the company can choose to allow the employee to carry on or the company does not have to.
In Central Foundation Boys’ School, there will be a background check on the teachers for criminal history or disciplinary etc. this is to ensure that the students are under safe hands and will not be influenced badly. The teachers, at Central Foundation Boys’ School, also get reviewed, once in a year, on how they teach; a deputy head will be sitting in the class, looking through the books of the student and watching how the lesson is planned.
Separation of duties
In every company, there are specialist within the group. Every faculty is further broken down. The manager or a head teacher is not able to maintain the security of the whole company or school; this is the job of the IT technician.
In the IT technician faculty, there are those who work with software maintenance, hardware maintenance and network maintenance. Every faculty have different specialist in the group; the manager of the faculty has a fair knowledge of each specialist’s job. Therefore, the manager can work in their absence.
Ensuring compliance including
disciplinary procedures
1. Suspension (with pay) for the employee involved in the matter
2. Another party hired to deal with the case
3. or an involvement with the police.
The employee's specification details the job detail and restriction and possible penalty if any rule or any policy is broken.
In every case, the matter should be looked into properly before concluding. The employee suspect may not have committed the infringement; which can lead to incorrect penalty.
Training and communication with
staff as to their responsibilities
No law can be ignored. To prevent any infringement, the manager should have good communication with the workforce maybe every morning or at least every two days; this is done to remind them of their responsibilities in the company.
In all the points above, it is obvious that schools carry out interviews before enrolling the teachers; not necessarily for the students, unless they are enrolling to the sixth form. A teacher has to have training before applying for a teaching job; this training is first aid, how to deal with children and something teaching methods etc.
For the safety of the students at the school; the teachers have been given different duties to carry out during break or lunch; some have the duty of looking after corridors, building, playground or the canteen (Lunch hall).
Ethical Decision Making
Legislation
There are laws every computer user must follow; any laws broken is a crime and can result in jail time.
Computer Misuse
Act (1990)
This law deals with:
1. Unauthorised Access to computer material:
a. using another person's username and password in order to access the computer system
b. modifying, deleting or using a program
c. laying a trap to obtain a password; like a key log etc.
2. Unauthorised access to a computer system:
a. trying to get an administrator privileges or making a back door.
3. Unauthorised modification of a computer material:
a. e.g. distribution of viruses
Copyright, Design and Patent Act
(1988)
This act prevents anyone from stealing an idea of someone. The act covers:
Music Visual Media Written Material Designs Software Unique Images
To avoid getting into trouble, you must reference the object (Video, image or text) or ask for permission from the person in writing.
Data Protection Act (1984, 1998,
2000)
There are eight principles in this act that must be followed by any company that asks for detail. These laws will be in the terms and condition, but many people are too lazy to read through the terms and condition.
Here are the principles:
1. All data stored is fairly and lawfully processed
2. Any data is processed for limited and clearly declared purposes
3. The data is adequate, relevant and not excessive
4. All data is accurate and is maintained as such
5. No data is kept longer than necessary
6. Data about a person is processed in accordance with the individual's rights
7. All data is kept secure
8. Data is not transferred abroad with adequate protection
This act covers how a detail is used and accessed. The person can request the company for what information the company has of them.
Freedom of Information Act (2000)
This act allows the person, with their details in the company server, to have a copy of any electronic or paper based information about the person.
But the act also allows the organization to refuse disclosure; including:
* If the information is already accessible by other means
* If the information is to be publicly published
* Information that was supplied by or relates to an organization dealing with security matter
* If it would be against the interests of national security and defence
* Information that regards international relations and relations within the United Kingdom
* Information that could affect the economy
* Current investigations and proceedings conducted by public authorities
* Law enforcement and court records and information for the legal professional
* Audit functions
* Parliamentary privilege and the formulation of government policy, along with the conduct of public affairs
* Communications with the monarch and the management of honours
* Health and safety and environmental information
* Personal information and information provided in confidence
* Commercial interests - this applies to organisation's system security
* Prohibitions on disclosure in line with official secrets.
Copyright
Copyright is used so that no one uses the content for their own purpose unless they have asked for permission; this permission is called license agreement. I will briefly explain four types of license agreement.
Open-source
This agreement allows anyone to compile, edit and recommend improvements. Commercial gain is between the user and original author of the content. Open-source is supported by GNU (General Public Use or GPL); this community protects the copyright if the original author of the content.
Freeware
This license states that the software is free to use but if the software is being distributed or copied; then the original author of the content has to be notified and they will make some financial concession.
Shareware
This license is similar to Freeware but if the software is being used for commercial gain; the owner has to be consulted and a possibly a fee is charged.
Commercial software
These type of software are made for sale or that serves commercial purposes. Most are free of charge. Software's like Microsoft Corporation and Google do not charger for their software packages.
Central Foundation Boys' have to keep their mind with these laws and the types of software they use. A school cannot use illegally downloaded software, music, videos and application because it is against copyright, design and patent Act (1988). A school can be given a bad review just because of bad practice like having illegal software or even free software like WordPress etc.
Ethical Decision making
Ethics, in short terms, is the study of values and equality.
Freedom of information VS personal
privacy
The use of proliferation has pros and cons. This might be a good way to find long lost relative or friend, but on the other hand, this might attract unwanted visitors.
How does this proliferation work? The use of electoral roll, phone book and street maps.
Street maps
Everyone is aware with the use of street maps to navigate to different location; just the postcode or address is needed and the map will search and display.
Phone book
A list of phone numbers or name is compiled; before they use to order the phone book in street names and then door numbers. Now, some people's phone number can be searched online or in a database.
Electoral roll
An electoral roll is used to find family or friends using this electoral roll search (for example whitepages.com). This will find all the registered voters for the same name and location. whitepages.com, in particular, will ask for you to pay for the service.
Permission issues
Companies, organizations, schools, universities and colleges all use CCTV and video footage for security measures. A company needs to inform any employee that there are certain security measures put in place. Visitors do not need to be notified because they will not be in the building for long.
Some people may differ from using video footage or CCTV because it invades personal space. But, the employee should not do anything that breaks any of the company’s policy.
Professional Bodies
This is an organization that helps further a profession; in this case they further a specific impact on legal issues and the overall decision-making process. Here is a list of some:
* Business Software Alliance (BSA): This is used in companies to help them avoid software licensing issues and offer a range of audit tools to check their systems.
* Federation against Software Theft (FAST): This is the anti-piracy arm of the software creation industry.
* British Computing Society (BCS): This regulates some of the standards set for the computer industry in the UK.
* Association of Computing Machinery (ACM): This is the same as BCS but international equivalent.
Other Ethical Considerations
* Institute of Electronic Engineers (IEE): This a set standards for networking, wireless and Ethernet connectivity.
* Federation Against Copyright Theft (FACT): This helps stop piracy over media like movies, music or other media.
Central Foundation Boys' have access right granted to teachers and staff in the school about a student; no teacher can search another teacher and look at their detail. In a similar note, the finance manager only has rights to look at the financial side of the school, not the student or teacher. However, then there is the Head teacher, who has full access to every detail in the school; form teacher, students, addresses, grades and finance etc.
Security Policies: Central Foundation
Boys' School
Central Foundation Boys' School has personal information on student and staff; and these information can be used for any evil intent. The school follows policies like Data Protection Act (DPA) because there are details of students and staff in the system.
In the first part of the report, we spoke about IT security polices and guidelines. Central Foundation Boys' School is not going to have high technology to store data and prevent the data from being lost; but may have the minimum required software and hardware to prevent any data loss.
Thinking back to when I visited the IT technician’s room, the server tower did not seemed to be secured to any part of the room. The server tower only had a key lock to prevent someone from opening the case; but the room had a door which had two locks. The server tower did not seemed to be a mirroring backup but instead a normal backup tower, this is a bad move for the school; because if a natural disaster were to happen, then the school will be in a deep problem because of the lack of security put in place to secure the servers.
When the student finds a way to bypass a security system or go on to websites, the technician is alerted to the act and patches or blocks of the way they accessed the website etc. unlike an audit, the student faces an exclusion and/or parental meeting. An Audit may be a good way to find different routes to application or websites, but that costs money; and some schools cannot afford a security audit.
The technician being alerted brings us onto our next point; the surveillance polices. There are no polices as to how the school can monitor all actions, this means the school can monitor how they like except if it violates personal space; for example the school will not have a camera inside a toilet or a camera with x-ray vision. The minimum a camera should have, in a school, is the ability to record sound and image without any imaging or sound enhancements; which can exploit the private space of someone.
The schools software and hardware has updates but not on a regular basis. These updates will obviously take place outside of school time; when? I have no knowledge of. As in every other school, Central Foundation Boys' School have codes of conduct set out to prevent students from accessing site they shouldn't. Some learning organizations have set out many polices as to how email, internet and software's are used in schools; but the school can incorporate their own rules as to how the internet, software's and emails are used as well.
This next part of the report will talk about the employment contract and security. The school, when hiring a teacher or enrolling a student, will look at the background of the person and then accept or reject; rejection is highly unlikely for students.
In every school, there are specialists in different subjects; like there will be a physical education teacher, an IT teacher, art teacher and maths teacher etc. with all different abilities; but this is not the meaning of separation of duties. Separation of duties is practiced in the school. There a rotary of what teachers looks after the entrance, corridor, doors or floor of each building. This is done for health and safety.
The teachers do a training session, if they don’t have the training, at least once or twice a year. How do I know? The teacher is not in for that day and the students think they can do whatever they want. Training is a good practice for all schools, organizations and companies; because the teachers or staffs will know what is new and know how to use a piece of software or some surveillance technology that has been installed.
Next, security and privacy laws. The schools may sound like a place where they know everything about you but they only have the authority to know the necessary information; like contact details, grades and attendance. They are not allowed to record what you do in the weekends or where you go off on holiday, unless it is within school periods. The students even have the right to request information about them if they need to.
The information and details of a student and staff is not misused. The details are not passed on to third parties without any proper consent, but this is the matter of legislations. The software a school uses has to be the real deal; what I mean by this is not having the UTorrent version of Microsoft Office or Adobe software's. They are given budget, from the government, to spend the necessary money on software's, hardware's and equipment's. They would get a special license agreement, from companies, which gives them discounts on certain items or when buying in bulks.
And lastly, ethical decision making. The school will not share your data to anyone, not even the students at the same school. There has to be a warrant, from the security services, of accessing data; but the teachers have permission to access this data because their job is to teach and keep contact with parents, if there are any problems.
The use of photographs or CCTV footages. Before any pictures are taken by anyone outside the school, a consent form is given to every student that might possibly be in pictures; if the students do not want to be in the pictures then the matter is taken seriously and they will not be in the pictures. CCTV footages can be used against you if there any problems. In every school, safety is their number one priority.
I have no knowledge of the professional bodies they might follow but from my knowledge, they will follow the various professional bodies like the regulation standards set nationally and internationally, the use of pirate software's and the use of Ethernet or any wireless connectivity.
As a whole and from my experience, the school, Central Foundation Boys' School, obeys polices and rules set out by the governors. They do not break any rules which might lead to possible risk to the staff and students safety and details. Polices put in place for employment is adhered to; background check and criminal history etc. and the IT management team is making the right ethical decision as to how the system is looked after and secured.
Conclusion
This report has met, all the requirements,
listed in the introduction, on the topic of organizational systems security.
However, there was no official document that was handed to see proof that there
are policies of organizational systems security.
There are importance of having an official
document because it is proof for the policies that have been put in place; the
audit may ask for the various documents, and missing a policy, about
organizational systems software, then the school will not have a good report.
An official document should be made to
cover many of the points of the policies, in Central Foundation Boys’ School,
by stating the purpose of the document, who the document is targeting and the
various topics that the document should cover.
No comments:
Post a Comment