The measures for data protection taken by an organization reflect its awareness and attitude towards information and Information Technology. If top management treat computers as a de-humanized intangible, but necessary, evil the measures taken to protect data, individual privacy and data integrity would , at best, be lackadaisical. On the other hand, if the management considers information as an important resource and computers as an aid in decision making one would find a positive approach and involvement by the management towards security of information. This attitude naturally percolates down to the lower levels and the workers consider the computer correspondingly as an enemy or an ally.
One of the best and first steps in ensuring data security is to create an awareness and develop a culture within the organization towards the ways in which information can be lost/altered and what would be the consequence, of such an occurrence, to the organization and individuals. The other steeps that can be taken are:-
- IT planning: The organization must decide on a policy for introduction of IT. This must be done at the highest level and should address issues such as level of protection for various aspects of information relating to the organization;
- Selection of technology, keeping in mind obsolesces due to new innovations and necessity for keeping in step;
- Identification of points of exposure of weak links to device means to plug them;
- Physical protection of machine and media.
Control and Monitoring the access to data, its usage by persons and its integrity must be clearly defined and responsibility for ensuring these must test on persons designated for these tasks; an audit procedure would go a long way in ensuring adherence to laid down guidelines. While the above are relevant for any computer based MIS implementation, in case of PCs, the rule for acquisition and use must be unambiguously stated. Additional points to be looked into are:-
- Information classification;
- Responsibility for Security;
- User training to increase security awareness and propagation of “do’s and don’ts”.
- There are four time honoured principles for ensuring security and recovery in case of breaches of security.
The best method is of course stopping all breaches of security before they occur. ‘Need-to know’ policy is an off-shoot of the principle of prevention.
However one may try to ensure it, total security is almost impossible. The next principle, therefore, is that you must be able to detect breaches to security, whenever they occur, within the shortest possible time. This helps in damage assessment and, also, in devising further preventive measures.
The aim here is to contain the damage, when losses occur, to reduce the adverse effects of such damage.
There must be enough resilience in the system to recoup the losses/damage and become functional, by reinstating the status, at the earliest.
We would now look at the various measures available to the PC user, to ensure security of machine and data, relating to the principles enumerated above.
These measures are for PCs being used in offices. The PC may be in use by an individual or being shared between two or more users. The measures available are:
- Physically bolt down the PC to a table so that it cannot be casually lifted and taken away.
- Locate the PC in such a way that it is conveniently accessible to the user, but hidden from casual passers-by;
- Have likeable cupboards for floppies and keep them locked at all times, except when used;
- Keyboard and PC locking devices can be fitted so that the PC cannot be operated unless these locks are opened;
- Keep a record of all floppies in use; do not permit alien floppies into the organization;
- Use lockable rooms for PCs, specially those handing sensitive data. Make it a practice to lock the room when leaving it for even a short time.
- The above apply to server, gateways and the like.
The PCs are fairly rugged and can tolerate wide ranges of temperatures, humidity and voltages. However, to ensure trouble free and prolonged life, consider the following measures :
- Have temperature and humidity gauge placed in the close proximity of PC and keep a casual watch to ensure that conditions are within limits. Switch off if the limits are exceeded;
- If your normal electrical supply is subject to large variations of voltage and frequency or spikes, it is prudent to have voltage and frequency stabilizers for the PC;
- Ensure that excessive dust or paper scrap does not accumulate near the PC;
- The plug sockets should fit snugly and cables leading to terminals and printers should be secured properly and not left hanging;
- You may consider putting a thin transparent plastic cover on the key board if it does not hamper your handing the keyboard;
- The most important is the use of a vacuum cleaner at regular intervals.
As is apparent from the views, on security, provided on PCs of various leading magazines, there is hardly any security provided on the PC. There are some measures you can take to ensure that data is not corrupted or modified by unauthorized users and to reinitiate the database to its known status in case this happens and these are :
- Use original software for Operating System, compilers or software packages. You may have to pay for it, but you can then be sure that it would be bug-free, known also as “licensed” software;
- Use correct procedures for shutting down the PC so that all files etc. would
- be properly closed;
- If you develop your own applications introduce passwords to access your application; these passwords should not be visible on the screen when keyed-in;
- Keep back-ups of all your files. Whenever you operate on any file, (specially
- in update/append/alter mode), if you have your own programs they should include a “copy” procedure; this ensures that a back-up of your data files would always be automatically taken.
The protection required for networked systems is much more extensive as physical security measures are totally inadequate; it is also extremely difficult to know who, when and how someone is accessing your data; in LANs, generally there would be one server which holds the shareable data on network and services the requests of various nodes; the normal method used is password identity for permitting access; the measures that van be adopted for additional security are;
- Keep the servers away and limit physical access to them.
- Run servers in the background mode; thus the server can be booked on, for use in the network, but for direct use of the server, a separate password would be necessary;
- Some networks provide auditing facilities, which can be used to advantage;
- Be aware that the network cables can be tapped, so try and shield or conceal them to prevent easy access; if possible use optional fibre;
- Use codes and ciphers in data communication; remember, however, that this would impose considerable overhands on your resources;
- Use fibre-optic cables for highly sensitive networks as they are difficult to tap; however, here too it may be possible to steal data through sensing the perturbation of the fibre itself;
- Prohibit the use of password embedded in communication access scripts; if this is unavoidable, use encryption for passwords;
- Consider the use of see-through devices for any system accessed through networks or through dial up.
Protection against virus:
A number of measures are available for reducing the risk of being attacked by computer virus:
- Build employees awareness of the risk,
- Do not allow the use of outside programs for company PCs or networks;
- Do not interface company networks to outside “Bulletin Boards”
- Make system/server files “Read only”
- Try and obtain source code for important software in use and compile it in-house.
- If source code is difficult to follow, it should ring a warning bell in your head;
- Check executable code using “debug” or separate utilities to study code structure and check spaces for viruses.
In most organizations or computer systems, the only authorization for data access is giving the correct password; rightly speaking, this is only the first step; the whole process would be:
The password only indicates an object with a unique identity assigned to it. Thus it should not become authorization to access data without further checks, if some measure of security is desired;
This process verifies that a person or object is who he, she or it claims to be. Thus could be achieved by asking some standard questions (from a large selection) and getting answers to them; if the answers match with those held on the systems, the person or object is authenticated;
This is the last step in the process; thorough this , you can ensure that only a given user, terminal or other resources, can access data to which permission has been granted to read, write or alter; Thus a matrix can be created to indicate which users have access to which file, records or fields. If the user request passes the matrix he is allowed access, otherwise he is denied access to some parts of the database.
We have had a fairly close look at the measures for data protection available on stand alone as well as networked PCs. Some of the measures that we studied can be implemented only on mini and main frame systems easily, while trying to introduce them on PCs may incur too much of resource overheads. We would now take a quick look at the protection, deduction and recovery mechanism available on large systems. This is in order to give you pointers for discerning when to go in for a larger system rather than a PC LAN and what facilities to look for.
Larger systems provide various mechanism to prevent access to data. User classes can be defined automatically prohibiting access to data by user class. User can be given only “query view” of the data so that he can have only “read” access to a limited amount of data. In some systems, certain terminal numbers can display or access only some parts of database, thus, even a user with higher access permissions cannot access some data on those terminals.
Access to Operating Systems:
In some systems the operating system is written in a lower level language and users are not given the use of that languages. Thus, the user cannot alter any part of the operating system. Some operating system follow the concept of access control levels. In this any program which has equal or higher access control level cannot access any routines which are below that level. The operating system routines are placed at much lower level and paths are predefined for access to these, which incidentally, are via other system routine placed at a high level. From this point of view ‘UNIX’ is not a secure Operating System as, ‘C’, which is the language in which ‘UNIX’ is written, is also available to the user as a programming language, however, it have many good security features.
Access Control Cards:
This is the latest method and is also available on PCs. Here an additional card is inserted on the PC. This card has its own memory and software. The user can program upto ten complex account codes. Anyone wanting access to a PC has first to pass through authentication routines through this card. Only when he passes, is he allowed to access the PC itself. These codes can be reprogrammed whenever required. Thus the basis problem of preventing access to the operating system of the PC can be solved to a large extent.