Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Computer Security for users of small computer systems Crime Prevention Bureau

advertisement 
Computer Security
for users of small computer systems
Crime Prevention Bureau
If you have any queries regarding the contents of this booklet, or require further information, then
please contact:
Royal Hong Kong Police
Computer Security Unit
Crime Prevention Bureau
5th Floor Empire Centre
Tsim Sha Tsui East
Kowloon
Hong Kong
Telephone: 2301 1654
KPMG Peat Marwick
Computer Audit Department
8th Floor Prince's Building
Central
Hong Kong
Telephone: 2522 6022
Computer Security
for users of small computer systems
2nd Edition
© Crime Prevention Bureau
January 1997
Sections © Office of the Privacy Commissioner for Personal Data
1st Edition jointly published by KPMG Peat Marwick, Certified Public Accountants, and The Royal
Hong Kong Police Crime Prevention Bureau.
Preface
This booklet forms part of the Crime Prevention Bureau's effort to improve the general awareness
on computer security. The purpose of this booklet is to set out guidelines on improving computer
security, specifically within a small business environment where resources are often limited.
However, the policies and procedures outlined in this booklet are equally applicable to all users of
small computer systems.
The guidelines in this booklet are advisory and represent what is regarded as best practice. They are
not intended to be definitive and should always be applied with regard to practical business
requirements and individual circumstances. By using a few simple and inexpensive measures,
management can significantly reduce many computer-related risks. However, it must be stressed
that there is no such thing as total security, even for large organisations.
The information presented in this booklet is general in nature and will not provide detailed rules on
which to make specific plans. If management are in any doubt in a specific instance, they should
seek proper professional advice.
This booklet is printed in English and Chinese. If there is any conflict in the booklet between the
meaning of Chinese words or terms in the Chinese language version and English words in the English
language version, the meaning of the English words should prevail.
CONTENTS
1. INTRODUCTION
1
2. ORGANISATIONAL AND MANAGEMENT CONTROLS
3
3. SEPARATION OF DUTIES
4
4. PROTECT YOUR ASSETS
5
5. PROTECT YOUR DATA AND NETWORK
7
6. END USER COMPUTING
9
7. USE OF PACKAGED SOFTWARE
10
8. BACKUP AND RECOVERY
11
9. VIRUS PROTECTION
13
10. COPYRIGHT
15
11. THE INTERNET
16
12. LEGAL IMPLICATIONS
17
GLOSSARY
21
Chapter 1
Introduction
1.1 Background
In the past, only large organisations could afford to invest in computer equipment. However,
technological advances in recent years have made it possible to build computers that are smaller,
cheaper, more powerful and easier to use.
Microcomputer networks are now slowly replacing many systems that previously ran on mini, or
even mainframe, computers. The advent of inexpensive business software, computer games and the
graphical user interface increases the popularity of microcomputers, and the marriage of computer
and telecommunication technology signifies a new age in personal computing. Nowadays few
businesses, large or small, operate without a computer, and management increasingly rely on
computer generated information for decision making.
As more than one person can access computer data and resources, the system, however small,
becomes more difficult to control. This booklet sets out some of the key issues regarding computer
security; and recommends ways by which management can minimise the potential risks that arise
when data is stored on or processed by computers, and when computer data and resources are
shared.
The recommended procedures set out in this booklet are intended for users of small computer
systems, such as standalone personal computers (PCs) or small PC networks. Such operating
environments are commonly found in smaller organisations, however, the recommendations in this
booklet may also be relevant for users of small computer networks in larger organisations, and for
individual users of personal computers.
1.2 Small business environment
A small business environment usually has limited resources in terms of staff and computer
knowledge. The owners of the business are often actively involved in business affairs. Controls are
often informal and there is limited scope for separation of duties. The business most probably uses
microcomputers and off-the-shelf software, such as an integrated accounts package or payroll
software. Word processing and general purpose spreadsheet and database packages may also be
used to analyse data and to produce management information.
Control weaknesses in such an environment often result from a combination of factors: users may be
unaware of security issues; management may take the view that controls are unnecessary, disruptive
and costly to implement; and the implications of a breach in computer security are not fully appreciated.
Such weaknesses may give rise to a number of concerns:
Page 1
•
poor business decisions because management rely on inaccurate financial or managerial
information;
•
the business may not be able to recover from a loss of data or computer facilities caused by,
for example, a fire;
•
accidental disclosure or theft of confidential or sensitive business or personal information;
•
possible breach of current legislation, such as copyright law or the Personal Data (Privacy)
Ordinance;
•
possibility of fraud; and
•
risk of computer abuse, such as computer related crime.
These concerns may result in financial losses, damage to customer relations and a business' reputation
and, in extreme cases, the collapse of the business. It is therefore essential for management to understand
these risks and hence the need for computer security.
This booklet provides a number of recommendations relating to each key area of computer control. One
or more of the suggested techniques may be used according to the specific circumstances of the business
to minimise its exposure to the risks discussed above. Management may also find it helpful to seek
impartial advice from independent advisers.
Page 2
Chapter 2
Organisational and management controls
Principle
Management should establish policies regarding the acquisition and use of microcomputers; and
should also ensure that only suitably qualified staff are responsible for operating the computer
system.
Suggested procedures
•
Management should establish an appropriate strategy regarding the acquisition of computer
hardware and software. This would ensure that the computer facilities are able to meet and to
support the business operations.
•
Management should establish policies and supporting procedures regarding the use of
computers and computer information. For example, policies regarding the handling of
confidential, sensitive and proprietary data, as well as the implications of a breach of these
policies, such as disciplinary actions. Such policies and procedures provide a means to ensure
the integrity, accuracy and completeness of the data being processed.
•
A senior and key individual in the business should be allocated the responsibility for ensuring
that appropriate policies and procedures are developed and applied and that computer security
is taken seriously.
•
Management should set out clear policies on the recruitment, assessment, training and dismissal
of staff. Bona fide references should be taken up for all recruits, including temporary and
contract staff, to ensure that they are adequately qualified and that they do not present a security
risk to the company.
•
All members of staff, including temporary and contract staff, who are required to operate
computer equipment should be adequately trained.
Benefits
The policies and procedures identified above should be sufficient to address the potential risks faced
by smaller organisations. By establishing a clear policy on the use of computers, management can
ensure that the importance of computer security is communicated to all members of staff. Appropriate procedures for the recruitment, assessment, training and dismissal of staff will help to ensure
that staff are committed and that the computer, the data and the systems are handled efficiently,
effectively and responsibly.
Page 3
Chapter 3
Separation of duties
Principle
Ideally, no single individual should be able to exercise control over more than one functional or
business area. Within the context of a small organisation, however, a formal separation of duties is
often not possible due to the limited number of staff available, particularly in respect of computer
systems. Management should instead ensure that adequate alternative procedures and controls are
in place to safeguard the organisation.
Suggested procedures
•
Management should ensure that there are adequate audit trails in respect of computerised
transactions.
•
Specific procedures and controls should be put in place concerning the handling of tangible and
mobile assets, such as cash and stock. These may take the form of regular bank reconciliations,
cash counts and stock counts.
•
Management should take steps to ensure that detailed knowledge of the computer system is not
lost as a result of key staff being unavailable or leaving the organisation by maintaining up-todate system and user documentation.
Benefits
Separation of duties reduces the risk of fraudulent activities as controls are easily bypassed when a
single individual is empowered to control several functional areas. Separation of duties also reduces
an organisation's dependence upon key staff.
Where separation of duties is not practicable, compensating controls should be put in place to
safeguard the assets of the business.
Page 4
Chapter 4
Protect your assets
Principle
All computer equipment and resources should be adequately protected. Access should be restricted
to only those staff who are properly authorised. Security precautions should not, however, impede
the efficient running of the business.
Suggested procedures
Physical access controls are usually applied at two levels: access to the organisation's offices or
premises and access to the area within the offices/ premises where the computer equipment is
located. Since microcomputers are usually scattered around the office, some of the main controls
are at the offices/premises level.
•
Guards or receptionists should ensure that only authorised persons may enter the office. If there
is more than one entrance to the office, access to all entrances should be controlled.
•
Access to the office outside office hours should also be regulated. In particular, it may not be
desirable for certain grades of staff to have unrestricted access to the premises.
•
Key computer equipment should be physically secured. If, however, it is not practical to keep
key computer equipment, such as the network server, in a secure area, then it should be located
where it is clearly visible, and where access can be observed (rather than in a secluded area
where tampering with the equipment may go unnoticed).
•
In many cases, management may wish to physically safeguard portable or movable (but
nevertheless expensive) equipment, such as most PCs, by securing them to desks.
•
Staff should not leave computers unattended whilst switched on and logged on to a specific
application.
•
There should be adequate protection against risks such as fire and flood, for example,
conveniently placed and adequately maintained fire extinguishers.
•
Offices should be kept tidy; food, and in particular drinks, should not be allowed near computer
equipment.
•
Management should ensure that computer equipment is adequately insured. Where necessary,
insurance cover should extend to the data and information held on the computer as well.
Page 5
Benefits
Appropriate physical access controls will reduce the risk of computer equipment being stolen or
accidentally or deliberately damaged. It will also help to prevent accidental disclosure or theft of
sensitive or confidential information. Adequate insurance can help to reduce the economic impact on
the organisation in the event that data or computer equipment is lost or damaged.
Page 6
Chapter 5
Protect your data and network
Principle
Access to data and software on standalone PCs and on PC networks should be selectively
restricted to those who are authorised by management. Access should only be granted that is
sufficient to enable staff to perform their duties.
Suggested procedures
•
Management should identify data and programs critical to the business and determine who
should have access to these.
•
Privileged access such as supervisor authority should be restricted to one or at most two senior
and responsible individuals. This access can potentially be used to delete and corrupt data
without leaving any audit trail and therefore should be strictly controlled.
•
A suitably senior member of staff should be responsible for enforcing, and for ensuring
compliance with, the security policies set out by management.
•
A suitable person should be designated Network Security Officer to control and monitor
network security and activities, for example, ensuring the list of network users is up-to-date, and
following up any unauthorised access attempts.
•
Each network user should be assigned a unique identifier, often referred to as a user ID that has
an associated user profile and an associated password. Users should change their initial
passwords immediately when they log on to the network for the first time.
•
Users should keep their IDs, profiles and passwords secret, and should regularly change their
passwords.
•
Management should set out guidelines concerning passwords. For example, the frequency of
password change; the length of the password, which should ideally be at least eight characters
long; and guidance regarding the format to ensure that the passwords cannot be easily guessed,
such as requiring all passwords to be a mixture of letters, numbers and symbols
•
Special security features provided by a network operating system should be applied where
appropriate. For example, user profiles can and should be disabled after a certain number of
unauthorised access attempts; or the date and time of when each user is able to log on to the
system should, if possible, be pre-defined.
•
Management should consider installing special password protection software on
microcomputers containing sensitive data, such as certain financial and personnel information.
Page 7
Such software may, for example, request a password before a PC can be started up.
Management should seek professional advice before installing such software to ensure compatibility with existing software and hardware.
•
Management should monitor the use of powerful user profiles, such as the network
administrator profile. It is also advisable to keep passwords of key users in sealed envelopes for
emergency use. The envelopes should be securely stored and passwords should be changed immediately after each emergency access.
•
Data, including backup copies, held on magnetic media such as diskettes or cartridges should
be properly labelled and locked away when not in use.
•
Printouts containing confidential or sensitive information should be filed away and, when no
longer required, should be carefully disposed of to prevent accidental disclosure of such
information. Organisations should however take care to ensure that they do not violate the
Companies Ordinance, Personal Data (Privacy) Ordinance or any other Ordinance with respect
to the retention of records.
•
Where dial-up access is permitted using modems and telephone lines, management should
consider the use of dial-back or other additional authentication procedures thus exercising some
degree of control over telephone access.
•
Management should adequately control and supervise the maintenance of hardware and
software applications, especially when this work is performed by the respective vendors. This is
to prevent accidental corruption or disclosure of sensitive data and applications.
Benefits
Management can only rely on the system if they can be sure that the system is free from
unauthorised changes to either the data or the programs. Adequate safeguards over unauthorised
access will protect confidential and sensitive information and prevent unauthorised modifications or
corruption of data. They will also reduce the risk of viruses or other malicious programs being
introduced into the system.
Page 8
Chapter 6
End user computing
Principle
Management should ensure that applications developed to run on PCs are adequately controlled. In
particular appropriate standards covering testing, and system and user documentation should be
implemented.
Suggested procedures
•
Management should issue written procedures that should be followed when developing PC
applications. Applications in this context include computer programs as well as financial or nonfinancial models, budgets, forecasts, etc, developed using software applications, such as a
spreadsheet. As a rule, these procedures should apply to all applications, whether routine or
one-off, that produce management information.
•
Software needs should be identified and fully specified in advance. These should include
requests for new applications, as well as requests for modifications to existing applications.
•
Staff should seek management approval prior to developing their own applications as they may
not be aware of other existing applications that can perform, or can be adapted to perform, the
required tasks.
•
New or enhanced applications should be independently reviewed and tested before being
accepted and going live. This should include functionality tests as well as volume tests to ensure
that the software can perform all that is expected of it and can cope with the required transaction volumes. This will reduce the number of errors or "bugs" in the system. Users should be
heavily involved in this process to ensure that the system meets their requirements.
•
Where appropriate, system compatibility tests should be carried out to ensure that new or
modified applications can function with existing software and hardware.
•
System and user documentation should be prepared or amended to reflect all changes to
application programs.
Benefits
By adopting a structured approach, management can ensure that application software fulfils the
needs of the business, and that any tailoring or modifications are properly tested and function as
intended and are error free. This will ensure that the vital information flow is not disrupted when it is
most needed.
Page 9
Chapter 7
Use of packaged software
Principle
Management should ensure that all packaged software is able to support the business activities, and
is adequate for users' needs. Management should also ensure that the packages can be adequately
maintained, either in-house or by the respective software house, so that future enhancements can be
made.
Suggested procedures
•
There should be formal procedures addressing the required controls over the selection, testing
and acceptance of packaged software.
•
Users should be actively involved in the selection process, particularly where enhancements or
changes to the packaged software are undertaken on the users' behalf.
•
Control over the release and implementation of new software, or enhancements to existing
software, should be centrally co-ordinated to ensure that appropriate versions of the software
are used.
•
Management should consider the use of "escrow" arrangements, especially where software has
been purchased from a smaller software house, or where the software has been customised. An
escrow agreement usually involves the software house, the user business and an independent
third party. The software house lodges the source code of the software package with the
independent third party such as a bank or a legal firm. When a pre-determined event takes
place, such as the software house ceasing operations or ceasing to support that particular
package, the source code will be released to the user business according to the terms of the
agreement, thus ensuring that the user can obtain future support for the package elsewhere.
Benefits
The application systems in use are able to meet the users' needs and are able to support the current
and future business requirements.
Page 10
Chapter 8
Backup and recovery
Principle
Data and programs are usually held on hard disks, diskettes, magnetic tape or cartridges. These
media are susceptible to damage, theft or loss and consequently the data held on them are
vulnerable. Further, the computer itself can be damaged, perhaps through failure of a significant
component of the system or an external factor such as a fire. Management should ensure that should
the organisation suffer an accident or a "computer disaster", then it can recover its data, application
programs and computer facilities with minimum disruption to the business.
Suggested procedures
•
Management should determine which files, application programs and documentation are critical
to the running of the business. They should then establish an appropriate backup strategy based
on the findings. Backup and recovery procedures should then be documented and staff
instructed on their implementation.
•
Adequate and frequent backups of data and programs should be taken to ensure that the
system can be recovered after a "computer disaster" and before the business is disrupted.
•
Management should assign responsibility for taking backups. For example, an organisation may
require that backups be taken by a specific individual, such as the network supervisor or that
specific users backup their own files.
•
At least three generations of the backups should be kept. However if daily backups are taken it
may be easier administratively to retain six or seven generations, for example Monday's daily
backup should be kept until the following Monday when it can be overwritten, etc. Month end
and year end copies of files may be retained for longer periods as required.
•
At least one copy of the most recent backup should be kept off-site and should be securely
stored, for example in a fireproof safe.
•
Magnetic tapes, diskettes or cartridges used for backup should be clearly and accurately
labelled. Backups should be tested periodically to ensure that they can be restored when
ultimately needed.
•
Copies of essential documents, such as user manuals, systems and applications documentation,
should also be kept off-site.
•
Where necessary, a stock of special pre-printed stationery, such as customer statements,
invoices, etc, should also be kept off-site in case of emergency.
Page 11
•
For those organisations that rely heavily on their computer system, management should develop
a formal recovery plan setting out specifically what to do in the event of a disaster which results
in a prolonged disruption of computing facilities. For those organisations that are not so
dependent on their computer system, management should also consider the impact of such a
disaster on their business and outline the necessary recovery procedures.
Benefits
Management will be able to recover, promptly and effectively, computing facilities following a
"computer disaster" and minimise the economic impact on the business. This is particularly important
in a network environment where the effect of a loss of computing capabilities may have a serious
impact over the entire organisation.
Page 12
Chapter 9
Virus protection
Principle
A computer virus is a set of computer program instructions designed to duplicate and spread itself.
Once a program or system file has been infected, whenever that software is subsequently used the
virus will duplicate itself and infect other programs or system files.
In addition to duplication and infection, viruses may corrupt or delete programs and data, or cause
unusual messages to be displayed. This may occur immediately following infection, at some random
future date, or may be triggered by some event such as a particular date or the passage of time.
Management should take steps to minimise the risk of damage to data and programs caused by
computer viruses using a combination of preventive and detective methods.
Suggested procedures
Taking adequate and frequent backups is an essential step in protection against virus attacks. Whilst
the use of anti-virus software can protect the organisation from virus attacks, such software is most
effective only when identifying known viruses. Therefore if the anti-virus software is not regularly
updated, it will not be able to provide effective protection against new viruses.
•
Management should issue a written policy on the use of microcomputers and communicate this
to all members of staff. No games or other unauthorised software should be used, and staff
should be made aware of their responsibilities in helping to protect against virus attacks.
•
Establish a quarantine system for diskettes received from external sources, such as samples or
demonstration disks, or diskettes that have been used on PCs not belonging to the organisation.
For instance these diskettes could be tested on a standalone PC that has no other live or key
applications before being loaded onto the main computer.
•
Anti-virus (preventive) software should be installed on all microcomputers. Management should
ensure that they receive regular updates of the software from the supplier. This software can be
programmed to scan all floppy disks and to alert users of an infection.
•
All microcomputers, including the network server, should be periodically scanned for viruses
using the latest virus checking software.
•
Restrict access to, and especially downloading from, the Internet and electronic bulletin board
services.
•
Written policy should include procedures to be followed subsequent to the discovery of a
suspected virus. Such procedures should include the isolation of infected machines and the
Page 13
notification of the Network Security Officer. Only properly trained staff should remove viruses
from infected files, since such action could also result in the corruption of data.
Benefits
The business will be able to limit the risk of virus infection. Should the system be infected by a virus,
infected data and programs can be recovered in a timely and co-ordinated manner.
Page 14
Chapter 10
Copyright
Principle
Computer software in Hong Kong is protected in the same way as other literary works, such as
books and plays. The government is currently reviewing the law on copyright, and aims to draft a
Hong Kong Ordinance dealing comprehensively with the laws of copyright.
The law as it stands prohibits persons who are not the copyright owner from performing certain acts,
such as reproducing or publishing the copyright work. Further, the mere possession of an infringing
copy of copyright subject matter for any purpose, including business and trade, is a criminal offence
and can result in severe penalties.
Management should therefore ensure that staff only use licensed software on their computer,
according to the terms of that licence.
Suggested procedures
•
Staff should read and observe the terms of the licence with respect to all purchased software.
•
Staff generally should only load microcomputer software and updates to software according to
the terms of the licence. This in most cases will mean loading one software package on one
machine.
•
Management should not allow unauthorised copying of software for use on any other machine.
•
Management should develop and issue to all members of staff policies and procedures to ensure
compliance with all software licences. This will include procedures to ensure that a record of all
software and associated licence numbers is retained by the business.
Benefits
By establishing proper policies and procedures over the use computer software, management can
ensure compliance with existing legislation on copyright.
Page 15
Chapter 11
The Internet
Principle
Use of the world-wide computer network known as “the Internet” has increased exponentially in
recent years to the point where Internet access is now considered a basic business necessity. The
Internet is frequently used as an information source, a marketing tool and an important means of
communication. However, the connection of a corporate network to the Internet can leave a
business exposed to various security threats unless such a connection is properly configured and
maintained.
Suggested Procedures
•
Formal procedures should be set in place addressing the allocation of Internet access to staff.
Such access should be provided only as strictly necessary and should not be provided
company-wide as a matter of course. In addition, policies outlining correct Internet usage should
be communicated to staff.
•
Ideally, Internet access should be limited to machines which do not form part of the company
network. An Internet e-mail gateway may be considered as an alternative to full Internet access
for most users.
•
Strict anti-virus measures should be implemented on all machines with Internet access.
•
The use of developing Internet technologies should be restricted until the full security
implications of such technologies are known. The use of ‘beta’ software should be restricted.
•
Any gateway between the company network and the Internet should be protected by a properly
configured and maintained ‘firewall’ (a system which analyses traffic between the two networks
to ensure proper authorisation). No unprotected access (including dial-up access using modems)
should be allowed from the network.
Benefits
Appropriate controls on the use of the Internet and proper monitoring of network traffic will reduce
the risk of unauthorised network intrusions and possible theft or corruption of sensitive or
confidential information. In addition, the likelihood of legal liability being caused by a staff member’s
abuse of such Internet access will be minimised.
Page 16
Chapter 12
Legal implications
This section briefly describes some of the key legal implications over the use of computers and
computer information having regard to current and proposed computer-related legislation in Hong
Kong. If management require guidance over a specific issue, they should consult their legal advisor.
12.1 Computer Crimes Ordinance
The Computer Crimes Ordinance became law in April 1993. The objective of the Ordinance was
to "clarify and amend the criminal law relating to the misuse of computers". The Ordinance defines
"Misuse of a computer" as:
•
causing a computer to function other than it has been established to function, regardless
of whether or not the misuse impairs the operation of the computer or the reliability of
data held in the computer; or
•
altering or erasing any computer program or data; or
•
adding any program or data to a computer.
It is now an offence for anyone to obtain unauthorised access to a computer by telecommunication,
more commonly known as hacking. The intent of the person obtaining such access need not be
directed at a particular computer, or at any specific program or data held within a computer.
The Ordinance provides a means for organisations to prosecute those who access or damage the
information held on their computer without proper authority. However, one of the obstacles against
successful prosecution of a computer related crime is the need to prove the intention of the person
committing the offence. Management should therefore take steps to guard against computer misuse
and in this regard a well-defined set of computer security policies and procedures can be helpful.
Such policies should clearly define the responsibilities of everyone within an organisation for
maintaining proper security over the organisation's data. It should define the extent of access rights
for members of staff and, where appropriate, members of the public. It should also document the
procedures for assigning these access rights.
12.2 Data protection
The Personal Data (Privacy) Ordinance became law in December 1996. The objective of the
Ordinance was to protect the privacy interests of living individuals in relation to personal data.
Generally, the Ordinance covers any data relating directly or indirectly to a living individual (data
subject), from which it is practical to ascertain the identity of the individual and which are in a form
in which access or processing is practicable. It applies to any person (data user) that controls the
collection, holding, processing or use of personal data.
Page 17
Data users must follow the fair information practices stipulated in the data protection principles in
Schedule I of the Ordinance (see below for more detail).
The Ordinance gives rights to data subjects. They have the right to confirm with data users whether
their personal data are held, to obtain a copy of such data, and to have personal data corrected.
Any charge for providing a copy of personal data to a data subject may not be excessive. They may
complain to the Privacy Commissioner for Personal Data about a suspected breach of the
Ordinance's requirements and claim compensation for damage caused to them as a result of a
contravention of the Ordinance through civil proceedings.
The Ordinance establishes an independent statutory office to enforce and promote compliance with
provisions of the Ordinance. It is headed by the Privacy Commissioner for Personal Data who is
appointed by the Governor. His duties and powers include:
•
promoting the awareness and understanding of the Ordinance's requirements;
•
approving and issuing codes of practice giving practical guidance on compliance with
the Ordinance;
•
approving requests from data users on automated matching of personal data;
•
specifying classes of data users required to submit annual returns and to compile a
register of data users for public inspection;
•
inspection of personal data systems and making recommendations for compliance with
provisions of the Ordinance; and
•
investigation of suspected breaches of the Ordinance's requirements and issuing
enforcement notices to data users as appropriate.
Schedule 1 sets out six data protection principles. In line with international practice. They are:Principle 1 - Purpose and manner of collection - this provides for the lawful and fair
collection of personal data and sets out the information a data user must give to a data
subject when collecting personal data from that subject.
Principle 2 - Accuracy and duration of retention - this provides that personal data should be
accurate, up-to-date and kept no longer than necessary.
Principle 3 - Use of personal data - this provides that unless the data subject gives consent
otherwise personal data should be used for the purposes for which they were collected or a
directly related purpose.
Page 18
Principle 4 - Security of personal data -this requires appropriate security measures to be
applied to personal data (including data in a form in which access to or processing of the
data is not practicable).
Principle 5 - Information to be generally available - this provides for openness by data users
about the kinds of personal data they hold and the main purposes for which personal data
are used.
Principle 6 - Access to personal data -this provides for data subjects to have rights of
access to and correction of their personal data.
The Ordinance provides specific exemptions from the requirements of the Ordinance. They include:
•
a broad exemption from the provisions of the Ordinance for personal data held for
domestic or recreational purposes;
•
exemptions from the requirements on subject access for certain employment related
personal data (see paragraph below for details); and
•
exemptions from the subject access and use limitation requirements of the Ordinance
where their application is likely to prejudice certain competing public or social interests,
such as : security, defence and international relations; prevention or detection of crime;
assessment or collection of any tax or duty; news activities; and health.
Data users should bear in mind that the Ordinance also covers employment personal data under
their control. This includes the provisions of the Ordinance requiring data users to provide access to
personal data held by them. However, the Ordinance provides for the following exemptions from
the right of subject access for employment-related personal data:
•
data relating to staff planning;
•
data generated by certain evaluative processes, including a recruitment or promotion
exercise, prior to a decision being taken and where an appeal can be made against such
a decision;
•
a personal reference for an appointment up to the time when the position is filled;
•
employment-related personal data provided prior to the commencement of the
Ordinance on a basis that data subject would not be allowed access are exempt from
subject access until 3 August 2002;
•
employment-related personal data which are provided prior to the commencement of
the Ordinance other than on the basis that data subject would not be allowed access or
Page 19
which are provided after the commencement of the Ordinance are exempt from subject
access until 1 July 1996.
Section 64 provides for a variety of offences, for example non-compliance with an enforcement
notice served by the Privacy Commissioner carries a penalty of a fine at Level 5 (at present
$25,001 to $50,000) and imprisonment for 2 years.
Section 66 provides for an individual who suffers damage, including injured feeling, by reason of a
contravention of the Ordinance in relation to his or her personal data to obtain compensation from
the data user concerned.
Further details concerning the Personal Data (Privacy) Ordinance and advice on how to comply
with the Ordinance may be obtained from:
The Office of the Privacy Commissioner for Personal Data,
Unit 2001, 20th Floor, Office Tower,
Convention Plaza,
1 Harbour Road,
Wan Chai,
Hong Kong.
Page 20
Glossary
This glossary explains some of the more common computing terms used in this booklet or
that users may come across in their day to day work.
access
privileges
The privileges to read and make changes to data held on a computer;
they are given to or withheld from users. By setting appropriate access
privileges, you can control access to confidential information stored on
a computer or on a network server.
application
program
A program that performs a specific task, such as sales invoicing word
processing, or database management.
backup
A copy of a disk or of a program or data file
beta software
Pre-release versions of software programs which are made available
to the public for testing before commercial release. Such programs
often contain potentially dangerous ‘bugs’ or errors
bulletin boards
An electronic notice boards that could be for use within an
organisation or made available to the public. Bulletin board messages
are accessed over a network or with the use of a modem and a
telephone line and can usually be read by a wide body of people.
Bulletin boards can contain anything from technical hints and tips to
advertisements but have also been known to spread viruses and illegal
software.
byte, kilobyte,
megabyte
Bytes are the binary representation of information such as decimal
numbers or characters. A byte is a unit of information consisting of
eight bits; a bit is a unit of information that a computer can hold. The
value of a bit (1 or 0) represents a simple two-way choice, such as yes
or no. A kilobyte(Kb) consists of 1,024 bytes, that is (210) bytes, and
a megabyte (Mb) consists of 1,024 kilobytes, or 1,047,576 bytes.
CD-ROM
Stands for Compact Disc Read-Only Memory; a compact laser disc,
similar in appearance to an audio CD, that can store approximately
600Mb of information. The information is designated as read-only
because a CD drive can read the information but cannot record new
information.
Page 21
central processing unit
(CPU)
computer viruses
The “brain” of the computer; the microprocessor that performs the
actual computations.
A computer virus is a set of computer program instructions designed to
duplicate itself. It can be introduced to a computer or a computer
network without the user being aware to it, typically by loading a
previously infected disk, for example a game disk. Viruses may
corrupt or delete programs and data across the PC or on an entire PC
network. These actions may not always occur at random or be
triggered by some event such as a particular data.
E-Mail
Electronic mail (E-Mail) is a facility that allows users to send messages
to, and receive messages from, other users. This can be set up
internally within an organization or it can utilise external E-Mail services
to communicate with external users. E-Mail systems allow data, files,
spreadsheet documents, etc, to be sent along with a text message to
another computer. E-Mail requires software and a modem or a
network.
encryption
A method of encoding data such that it cannot be read even if
intercepted by unauthorized users. Encryption is often used when
transmitting sensitive or confidential information.
Ethernet
An industry-standard method of transporting data over a network.
Ethernet is currently the most common method of linking a PC
network.
file-server
A computer, usually with a high processing power and a large amount
of disk storage capacity, that is available to users on a network and
controls access to that network. Programs and data which network
users need to share are stored on file-servers.
firewall
A system consisting of hardware and/or software designed to monitor
and regulate network traffic. Most often used to protect networks
from Internet-based intrusions.
Page 22
floppy disk, hard disk
A floppy disk is made of flexible plastic, as opposed to a hard disk,
which is made of metal and sealed into a case or cartridge. The term
floppy originally applied to disks with thin, flexible disk jackets, such
as 5.25-inch disks, which were literally floppy and could be easily
bent. With 3.5-inch disks, the disk itself is flexible, but the jacket is
made of hard plastic. Both kinds, however, are called floppy disks. A
hard disk can store very large amounts of information compared to
3.5-inch or 5.25-inch disks.
grandfather, father,
son
A backup procedure consisting of three sets of backup, with the “son”
being the most recent, and the “grandfather” being the oldest backup
copy. When a backup routine is performed, the storage device used
for the “grandfather” is reused and becomes the “son”, the “son”
becomes the “father”, and the “father” becomes the “grandfather”. In
this way, three generations of backup are maintained at all times,
thereby minimising the risk of complete data loss.
LAN
Local Area Network(LAN) is a group of computers connected for the
purpose of sharing resources. The computers on a LAN are typically
joined by a single transmission cable and are located within a small
area such as a single building or section of a building.
log off
To indicate to a system or network that you have completed your
work and are terminating interaction.
log on/log in
To identify yourself to a system or network and start to use it. usually
logging on requires a password, depending on the system.
magnetic tapes
A plastic tape coated on one side with a substance suitable for storage
of large quantities of programs and data. They range in appearance
from traditional computer tapes on a reel to smaller tapes resembling
audio cassette tapes. Tapes are mainly used for archival storage of
data and are not suitable for routine of frequently used data.
main memory
The part of a computer’s memory whose contents are directly
accessible to the microprocessor; usually synonymous with RandomAccess Memory (RAM). Programs are loaded into main memory,
where the computer keeps information while you are working.
Page 23
memory
A hardware component of a computer system that can store
information for later retrieval.
modem
MOdulator-DEModulator. A “Black box” between a device and a
communication line, converting a digital signal into one or more suited
to telephone transmission, or vice versa.
mouse
A small device that can be moved around on a flat surface next to the
computer. The mouse controls a pointer on the screen whose
movements correspond to those of the mouse and is used to select
operations, to move data, and to draw within graphics programs.
network
administrator
The person who sets up a network file server, registers users and their
passwords, and maintains the file server.
PC
Personal Computer (PC) initially referred to the IBM
Personal Computer but is now extended to include other
microcomputers whether or not they are compatible with IBM PCs.
RAM
Random Access Memory (RAM) is transient memory that is
addressed directly by the computer’s central processing unit (CPU).
RAM is used to temporarily store data that they CPU is waiting to
process, is processing, or has just processed. Any information held in
RAM is lost if the computer’s power is switched off, or if another
piece of information uses that area of memory.
ROM
Read Only memory (ROM) is used to store the program instructions
required for all the computer’s basic operations. Any data or program
instructions held in ROM chips are permanent. The computer reads
information from ROM but cannot store any information there.
software
A collective term for programs, the instructions that tell the computer
what to do.
TCP/IP
(Transmission Control Protocol/Internet Protocol): the protocols that
define the rules governing how messages are exchanged on the Internet
and many corporate networks.
user
A person operating or controlling a computer system and who has a
specific use for the computer.
user ID
A unique name assigned to a registered user and used to identify that
user on the network. it is commonly used together with a password.
Page 24
user profile
WAN
A set of permissions allocated to a user controlling that person’s
access to application programs, data files and directories on a
computer system.
Wide Area Network (WAN) is a system of interconnected local area
networks that span a wide geographical area.
Page 25
Related documents
7.1 The Articles of Confederation (pp. 192-198)
7.1 The Articles of Confederation (pp. 192-198)
ABSTRACT Vending Mobile Food Vending is one of the fastest growing entrepreneurial...
ABSTRACT Vending Mobile Food Vending is one of the fastest growing entrepreneurial...
REZONING MEMORANDUM ARBORIST OFFICE Reviewer: Laura
REZONING MEMORANDUM ARBORIST OFFICE Reviewer: Laura
OCA-8
OCA-8
US Chapter 7 Study Guide
US Chapter 7 Study Guide
2016-083 Maximum of 125 single family attached dwelling units (townhomes)
2016-083 Maximum of 125 single family attached dwelling units (townhomes)
Download
advertisement