Criteria C

Security

Due to the nature of e-commerce websites, there is no face-to-face interface between consumers and
providers, so retailers have to search and use an alternative mean to obtain consumer information, one
such alternative mean is via credit card. This basically requires companies to gain customer information
such as address, banking details etc., as the cards used for purchase will contain the specific information.
The information can then be used towards market research amongst other things.

However, with all of this data there are numerous threats towards the data such as identity theft, key
logging, hacking etc. For Companies that want to operate successfully online must win their customers
loyalty. In order to do so, companies need to demonstrate that they take threats to data security very
seriously. There are a range of methods by which organisations can protect itself from data security
threads, including; risk assessment, encryption, SET, firewalls, physical security, virus protect, etc.

There are many laws in place in order to combat theft and piracy and most of these have a very strict
guidance which people must follow, if not then there will be serious consequences. Here are some
examples of the laws used to protect data handling and stop threats.
Data Protection Act 1998 (DPA)
The Data Protection Act 1998 (DPA) is a United Kingdom Act of Parliament which defines a legal basis for
handling in the United Kingdom of information relating to people living within. It is the main/only piece of
legislation that governs protection of personal data in the UK. Although the Act does not mention privacy,
in practice it provides a way in which individuals can enforce the control of information about themselves.
Most of the Act does not apply to domestic use, for example keeping a personal address book.
Organizations in the UK are legally obliged to comply with this Act, subject to some exemptions.
There are 8 principle of data protection act. These are:
1. Processed fairly and lawfully.
2. Processed only for one or more specified and lawful purpose.
3. Adequate, relevant and not excessive for those purposes.
4. Accurate and kept up to date - data subjects have the right to have inaccurate personal data corrected
or destroyed if the personal information is inaccurate to any matter of fact.
5. Kept for no longer than is necessary for the purposes it is being processed.
6. Processed in line with the rights of individuals - this includes the right to be informed of all the
information held about them, to prevent processing of their personal information for marketing purposes,
and to compensation if they can prove they have been damaged by a data controller's non-compliance
with the Act.
7. Secured against accidental loss, destruction or damage and against unauthorized or unlawful processing
- this applies to you even if your business uses a third party to process personal information on your behalf.
8. Not transferred to countries outside the European Economic Area - the EU plus Norway, Iceland and
Liechtenstein - that does not have adequate protection for individuals' personal information, unless a
condition from Schedule four of the Act can be met.
Criteria C
This can applied to a school as for example the student might want to hacked the administer user taking
control of the school system. They will have access to delete and make copies of files and allowing
unauthorized games and website to be access.
Computer Misuse Act 1990 (CMA)
The Computer Misuse Act of 1990 is a law in the UK that makes illegal certain activities, such as hacking
into other peoples systems, misusing software, or helping a person to gain access to protected files of
someone else's computer.
Three principles of the Computer Misuse Act
The Computer Misuse Act is divided into three sections and makes the following acts illegal:
Unauthorized Access to Computer Material
Unauthorized Access to Computer systems with intent to commit another offense
Unauthorized Modification of Computer Material
This also goes for the data protection act but hacking and taking files which dont belong to you and
also gaining access to files and saying it is yours without reference. The law also applied for forgery of
document.
Copyright, Designs and Patents Act 1988
The Copyright, Designs and Patents Act 1988 is a law which known for copyright. It gives the right for
the maker for all literary, dramatic, musical and artistic works the right to use the material in the ways
they would prefer. This act covers Broadcast and public performance, copying, adapting, issuing,
renting and lending copies to the public. This applied for the school for the coping of a file or data from
the internet without reference it.
Defamation Act (1996)
Defamation Act (1996) act is for the protection of someone or company reputation from harm.
Defamation is accusing of false allegation of an offence or misread word of someones words or
actions. In order to sort out the problem the person must prove that they have a reputation which can
be damaged or be able to show that their reputation has been damaged. This applied to the school of
accusing of a student of doing something wrong such as framing the student of hacking the school
system.
Official Secrets Acts (1911-1989)
Official Secrets Acts (1911-1989) is an act that protects state secrets and official information. This
applied to the school for making rumour and telling lies of a person for example where he keeps his
1. Unauthorized access to computer material (basic hacking) including the illicit copying of software
held in any computer.
-Penalty: Up to six months imprisonment or up to a 5,000 fine.
2. Unauthorized access with intent to commit or facilitate commission of further offences, which covers
more serious cases of hacking.
-Penalty: Up to five years of imprisonment and an unlimited fine.


Criteria C
The Police and Criminal Evidence Act (1984)
The Police and Criminal Evidence Act (1984) is an act that Practice provide the core framework of police
powers and safeguards around stop and search, arrest, detention, investigation, identification and
interviewing detainees. This applied to a school to stop people from bringing weaponry into school.
Crime and Security Act 2001
Crime and security act 2001 is an act to stop terrorism and stop illegal immigrate into England. This act
improves the law and extends the criminal law and powers for preventing crime. This applied to a school to
stop the terrorism within the school and improve the law.
Encryption
Encryption is the process of transforming information using an algorithm to make the file unreadable to
anyone. The result of this is that the file will now be encrypted information. In order to read the
information decryption is required. The only way to easily decrypt a file is if you are the person who
encrypted the information in the first place. This is used to turn the encrypted information back to its
standard file however this requires a vast amount of knowledge and decrypting will takes some time but as
time progresses this enables hackers to make software to decrypt files more easily. Encryption is mainly
used to protect communication and data as they are more vulnerable to hacking.
Computer encryption systems generally belong in one of two categories:
Symmetric-key encryption
Public-key encryption
Symmetric-key Encryption
An encryption system in which the sender and receiver of a message share a single, common key that is
used to encrypt and decrypt the message. Contrast this with public-key cryptology, which utilizes two keys
- a public key to encrypt messages and a private key to decrypt them. Symmetric-key systems are simpler
and faster, but their main drawback is that the two parties must somehow exchange the key in a secure
way. Public-key encryption avoids this problem because the public key can be distributed in a non-secure
way, and the private key is never transmitted.
Public-key encryption
A cryptographic system uses two keys -- a public key known to everyone and a private or secret key known
only to the recipient of the message. An important element to the public key system is that
the public and private keys are related in such a way that only the public key can be used to encrypt
messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually
impossible to deduce the private key if you know the public key. Public-key systems, such as Pretty Good
Privacy (PGP), are becoming popular for transmitting information via the Internet. They are extremely
secure and relatively simple to use. The only difficulty with public-key systems is that you need to know the
recipient's public key to encrypt a message for him or her. What's needed, therefore, is a global registry of
public keys, which is one of the promises of the new LDAP technology.

Firewall
A firewall is a device designed to allow or deny network transmissions based upon a set of rules and is
frequently used to protect networks from unauthorized access while allowing legitimate communications
Criteria C
to pass. As its name suggests it is similar to a physical firewall in which the fire is used as a barrier to stop
fire from spreading one area to the next. Many personal computer operating systems include software-
based firewalls to protect against threats from the public Internet.
Many routers that pass data between networks contain firewall components and, conversely, many
firewalls can perform basic routing functions.
There are several classifications of firewalls depending on where the communication is taking place, where
the communication is intercepted and the state that is being traced.
Network layer and packet filters - Packets (small chunks of data) are analysed against a set of filters.
Packets that make it through the filters are sent to the requesting system and all others are discarded.
Application-layer Application firewalls can intercept all packets traveling to or from an application. They
block other packets (usually dropping them without the senders approval). In principle, application
firewalls can prevent all unwanted outside traffic from reaching protected machines.
Proxies - Information from the Internet is retrieved by the firewall and then sent to the requesting system
and vice versa. Proxies make tampering with an internal system from the external network more difficult
and misuse of one internal system would not necessarily cause a security breach exploitable from outside
the firewall (as long as the application proxy remains intact and properly configured).
Network address translation - Firewalls often have network address translation (NAT) which often have
such functionality to hide the true address of protected hosts. Hiding the addresses of protected devices
has become an increasingly important defence against network reconnaissance as hackers will not be able
to find out your true IP Address.








Physical security
Physical security are measured
designed to deny any kind of access to an unauthorised personnel from physically entering a building or a
facility or any kind of stored information. Physical security can be as simple as a locked door or can be
multiple layers of barriers, armed security guards or placements. A good physical defence is a layer of
security barriers. However it can come as a cost as it may depend on how the security formation was made
as there can be some areas an intruder can enter a facility. In order to combat these, companies should
make a good balance between the perimeters in where every security perimeters should be equal. Also
thanks to technology physical security has improved such as infrared (Motion Trigger) technology, Video
Criteria C
Surveillance Cameras, and access controls and locks which are constantly audited. The field of security
engineering have identified the following elements to physical security:
Explosion protection;
Obstacles, to frustrate trivial attackers and delay serious ones;
Alarms, security lighting, security guard patrols or closed-circuit television cameras, to make it likely
that attacks will be noticed; and security response, to repel, catches or frustrates attackers when an
attack is detected.
In a good designed system, these features must complement each other. There are at least four layers of
physical security:
Environmental design
Mechanical, electronic and procedural access control
Intrusion detection- It is a device or software application that monitors network or system activities
for malicious activities or policy violations and produces reports to a management station.
Video monitoring
Personnel Identification
Virus Protection
Antivirus or anti-virus software is used to prevent, detect, and remove malicious items from the computer.
Companies use them as it keeps threats to data at a minimal and also is effectively cheaper instead of
something else. The good about them is that they can remove lots of different forms of virus as stated
below:
Viruses A virus is a small piece of software that piggybacks on real programs. For example, a virus might
attach itself to a program. Each time the program runs, the virus will run too, and also it has the chance to
reproduce (by attaching to other programs). This could be very damaging to an organisation because a
viruss main priority is to wreak havoc as an infected computer can cause corruption to data and can also
modify data.
E-mail viruses - An e-mail virus is similar to a normal virus but instead is already attached to an email
message. Some messages may tell you to download something which may actually be the virus, but
because of new tricks viruses can now actually be embedded onto the email message so if you open the
message then there is a chance that there might now be a virus on your computer.
Trojan horses - A Trojan horse is simply a computer program. The program claims to do one thing but
instead does damage when you run it (it may erase your hard disk).
Trojans are mainly common on shareware or freeware software as they are easier to distribute. These are
especially malicious as they can cause huge amounts of damage to a machine and can also delete
information off the computer. There is also another virus which can cause substantial damage called a
backdoor virus. This virus can gain control of your computer and steal any pieces of information off the
computer. If a company doesnt invest in an anti-virus to keep customer information safe then they could
lose the trust of their customers.
Criteria C
Worms Worms are basically a little piece of software in where it replicates itself on your network and in
any security holes. Worms almost cause at least some harm to the network as it consumes high amount of
bandwidth, which can damage the company network leading to slower work rate, this could be vital
because the stock markets are ever changing and any slowdown could be very damaging.
Risk assessment
A risk assessment is simply a careful examination of what, in your work, could cause harm to people, so
that you can weigh up whether you have taken enough precautions or should do more to prevent harm.
Workers and others have a right to be protected from harm caused by a failure to take reasonable control
measures.
Accidents and ill health can ruin lives and affect your business too if output is lost, machinery is damaged,
insurance costs increase or you have to go to court. You are legally required to assess the risks in your
workplace so that you put in place a plan to control the risks.
A risk assessment is an important step in protecting your workers and your business, as well as complying
with the law. It helps you focus on the risks that really matter in your workplace the ones with the
potential to cause harm. In many instances, straightforward measures can readily control risks, for
example, ensuring spillages are cleaned up promptly so people do not slip or cupboard drawers kept closed
to ensure people do not trip. For most, that means simple, cheap and effective measures to ensure youre
most valuable asset/your workforce is protected.
The law does not expect you to eliminate all risk, but you are required to protect people as far as is
reasonably practicable.
User ID & Access rights
The User ID identifies you to the network as an authorised user. The password is the security to prove that
you are the authorised person to whom that user ID belongs. Any sensible company will ensure that staff
need a User ID and Password to gain access to the system. This should reduce the risk of outsiders being
able to get onto the system and damage data.
Access rights help to protect the IT system and the data stored on the system by restricting who can do
what. Most company networks will be set up so that different users have appropriate levels of access
rights. There are students, teachers and the network staff.
Students
As a student, you can log on, access your own files and change them, use most of the software on the
system and probably access a shared area where you can open files put there by your teacher and then
save them to your area. What you can't do is load software onto the system, access files from other
students' areas, delete or change files in the shared area. You also can't change the system settings or
add/delete new users.
Teachers
The teachers can do more than you. They might be able to access all of the students user areas and open,
copy or move files. They can put files into the shared folder for you to use. Most teachers however, can't
usually load software onto the system. They often can't access other teachers' areas. They can't change the
system settings. They can't add or delete users on the system.

Criteria C
Network staff
Network staff are responsible for the upkeep of the network and so have may have 'admin' rights to the
system. This means they can do just about everything on the system. They can install new software,
change system settings, and add/delete users. They can access everyone's files and folders. This is all done
through 'Access Rights'.
When the network manager originally set up the system, they would have set up different levels of access
rights e.g. student, teacher, network manager. They would then have specified what permissions each
access level should have i.e. what anyone with that access right can and can't do. When they add a new
user to the system, for example when a new student or member of staff starts at the school, they will be
given a user ID and their access rights/level of access will be set.