Unit 09 - Enderoth

advertisement
ORGANISATIONAL SYSTEMS SECURITY
T/601/7312
LEVEL 3 UNIT 5
LO3 - Understand the organisational
issues affecting the security of IT
systems



Organisations collect, create and manipulate a wide range of data and
information; the cost of these activities is often much higher than the
organisation realises until they are lost or stolen. Everyone who works with an
information system should understand their responsibility to protect the
system against theft or loss and all IT professionals need to understand how
to support the organisation in protecting its digital assets and hardware. This
unit will enable the learner to recognise the importance of protecting systems
against any security issues or failures when working with the hardware and
software and providing guidance to customers on the security of their
systems.
Additionally, it will also ensure that learners keep the importance of security
at the forefront of their activities in order to identify threats and protect the
organisation and its assets as they work with the information system while
working towards the qualification as well as in the work place.
The aim of this unit is to provide the learner with an understanding of the
importance of securing organisational IT systems, the impact of the law on the
application of security policies and the range of security threats which must
be protected against with an organisation and the tools which are used to
provide protection. The learner will be able to apply this knowledge to any
organisation through reviewing and making recommendations for
improvements.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Assessment
Learning Outcome (LO)
The learner will:
Pass
The assessment criteria are
the pass requirements for
this unit.
The learner can:
Merit
For merit the evidence must show
that, in addition to the pass
criteria, the learner is able to:
1
Understand the
impact of potential
threats to IT systems
P1
Explain the impact of
different types of threat
on an organisation
M1
Compare and contrast the
impact of different types
of threat to different
organisation types
2
Know how
organisations can
keep systems and
data secure
P2
Describe how physical
security measures can
aid in keeping systems
secure
M2
Discuss the effectiveness
of physical security
measures used in an
identified organisation
Describe how software
and network security
can keep systems and
data secure
M3
Discuss the effectiveness
of software security
measures used in an
identified organisation
P3
3
Understand the
organisational issues
affecting the security
of IT systems
P4
Explain the policies and
guidelines for
managing
organisational IT
security issues
P5
Explain how
employment contracts
can affect security
P6
Scenario
Criteria
1
2
3
4
Distinction
For distinction the evidence
must show that, in addition
to the pass & merit criteria,
the learner is able to:
D1
Recommend
modifications to
policies and
guidelines for
managing
organisational IT
security issues
D2
Review contracts of
employment in an
organisation and
their impact on
security
Assess the laws related
to security and privacy
of data
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Assessment





P4 The learner should explain at least three different policies and guidelines for managing
organisational IT security and give details of the purpose and scope for these. This could be
in the form of a report.
P5 The learner should evidence at least three different types of employment contract for
junior, middle management and senior management and explain how their generic roles
and responsibilities and the wording of the contracts might be used to implement the
security procedures within an organisation. This could be evidenced as a report with copies
of the contracts to support explanations.
P6 The learner should assess the laws relating to security and privacy which are relevant to
the United Kingdom and consider how they affect institutions. They could relate this to
identified organisations to support their work. This could be presented as a report.
For distinction criterion D1 the learner must use policies and guidelines relating to
information security used within an identified organisation potentially using those reviewed
in P4. The learner should describe and comment on the policies and procedures and
recommend modifications to them identifying how these recommendations would improve
the policies and guidelines. This could be evidenced in the form of a report.
For distinction criterion D2 The learner must have the opportunity to review contracts of
employment and the components that will enable an organisation to protect themselves. As
this is an extension of P5, learners should extend their explanations to review how
organisations can further improve their security by including policies within contracts of
employment and how this may impact on the organisation as a whole. This could be
evidenced through a report or presentation but must include sufficient details to support
their review.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Assessment



The internet has samples of model security policies which are actually in
use and the centre will have one too. Learners should research these and
obtain copies of one or two comparing their ideas for policies and
procedures with those from a real organisation such as the learning
centre or an identified organisation. The learner will develop their
reasoning so that they are able to move from general discussion to
evaluating policies and guidelines which have been designed for a specific
use within an organisation.
The learner should have a clear understanding of the type of organisation
they are working with such as its functions, locations(s) and types of data
it uses and then be able to review current policies and procedures for the
organisation making recommendations for improvements. The learners
should also consider how an organisations policies and procedures are
linked to an individual’s contract of employment and the responsibilities
and liabilities these place on the employee.
With regards to legislation learners should focus on what each of the Acts
means, the purpose of the act and the implications for an organisation or
individual. With constantly changing legislation learners should review
and consider new or outline legislation or revisions that may affect an
organisation in this way.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Assessment


Every company that uses computers, email, the internet, and software on a daily basis should have
information technology (IT) policies in place. It is important for employees to know what is expected and
required of them when using the technology provided by their employer, and it is critical for a company to
protect itself by having policies to govern areas such as personal internet and email usage, security,
software and hardware inventory and data retention. It is also important for the business owner to know
the potential lost time and productivity at their business because of personal internet usage.
Without written policies, there are no standards to reference when both sticky and status quo situations
arise, such as those highlighted above.
So, what exactly are the IT policies that every company should have? There are six areas that need to be
addressed:
◦ Acceptable Use of Technology: Guidelines for the use of computers, fax machines, telephones,
internet, email, and voicemail and the consequences for misuse.
◦ Security: Guidelines for passwords, levels of access to the network, virus protection, confidentiality,
and the usage of data.
◦ Disaster Recovery: Guidelines for data recovery in the event of a disaster, and data backup methods.
Technology Standards: Guidelines to determine the type of software, hardware, and systems will be
purchased and used at the company, including those that are prohibited (for example, instant
messenger or mp3 music download software).
◦ Network Set up and Documentation: Guidelines regarding how the network is configured, how to
add new employees to the network, permission levels for employees, and licensing of software.
◦ IT Services: Guidelines to determine how technology needs and problems will be addressed, who in
the organization is responsible for employee technical support, maintenance, installation, and longterm technology planning.
Task 1 – P4.1 – Describe for your School why there is a need for an IT policy to be in place and the dangers
that exist that the policy is designed to protect against.

Scenario
Criteria
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Assessment
On a larger scale, company IT policies tend to be standard across sites, the same
IT policy in Subway in Chislehurst will be the same as the Subway in Ballymena,
Corby, Glasgow. The risks are the same, the policies vary slightly depending on
the nature of the business, the information the company manages and the
security threats that have been successful or attempted from the past.
Staff at these companies will be aware of these policies, specifically when it comes
to more sensitive information. Most companies get their staff to sigh an AUP,
Acceptable Use Policy. In schools there should be one by the door to every
classroom that has a computer.
Companies write these to protect themselves and their customers. Using two
policies you will need to analyse, compare and review these based on a range of
criteria that needs to be set.



Bath University
Co-op
Greggs
Princeton University
Asda
McDonalds
MIT University
Morrisons
Subway
Task 2 – P4.2 – Using 2 different business models and the Report Template, define
the Companies Purpose, Functions, Location and Types of Data they manage from
day to day.
Purpose
Business 1
Scenario
Criteria
Function
Business 2
1
2
3
Business 1
4
5
6
7
Location
Business 2
8
9
10
Business 1
11
12
13
Types of Data
Business 2
14
15
16
Business 1
17
18
19
Business 2
20
Assessment
Policies are there to protect customers information, staff details and to
protect the company. Writing a policy document makes it legal. All new staff
read these and sign an agreement that they understand it. Then it become
official. They breach the policy, they signed the agreement. They download at
work, they signed the agreement, they look at things they should not, you
can see where this is going. Companies need to be protected, policies need
to be updated when things change so the company remains protected.
 And everyone is affected. When a student starts a school they sign the
agreement, or their parents do, as do staff. This means we follow etiquette,
we do not download, we do not abuse the emails, we do not look at
inappropriate materials on the internet. Lowest case scenario is a verbal or
written warning, or the facility is blocked, email is suspended. And as all
emails and Internet traffic is monitored with a produced log and Internet
trail, and as we know this, we abide by the rules.
 Click here for statistics on why these policies are necessary.
Task 3 – P4.3 – Using 2 different business models and the Report Template,
define the Policy Purpose and Policy Audience.

Policy Purpose
Business 1
Scenario
Criteria
1
2
Policy Audience
Business 2
3
4
5
6
7
8
9
Business 1
10
11
12
13
14
15
Business 2
16
17
18
19
20
Assessment
While Usernames will be considered public information, passwords are the
first line of defence at providing for computer and information security. It is
inevitably the individual’s responsibility to maintain the security of their
password while maintaining a certain level of complexity within that
password as not to allow for breeches of that Username. Usernames and
password management is a significant part of an overall solution to improve
security. The overall protection of the key assets must begin with the
individual who has access to them.
 Policies outline how Usernames will be created and how a user will be
required to choose a password that is considered to be strong given best
practices as they exist currently. Additional requirements are usually outlined
in policies as will the creation of default passwords, changing of passwords,
and resetting of passwords. Each user of computing resources is expected
to stick to their company policy.
 Click here for statistics on why poor policies with passwords.
Task 4 – P4.4 – Using 2 different business models and the Report Template,
define the Companies Policy on Passwords procedures.

Guidelines on User names
Business 1
Scenario
Criteria
1
2
Guidelines on Passwords
Business 2
3
4
5
6
7
8
9
Business 1
10
11
12
13
14
15
Business 2
16
17
18
19
20
Assessment
Company policies are designed for a reason and the one particular danger
that companies always come up with is the effective and abusive use of
emails at work. There are two dangers involved in these, those who use
emails trivially and those who use email maliciously. Company policy tries to
limit the first and demands a halt to the second.
 Ineffective use of emails can include sending trivial emails on company time,
sending materials that are wrong, images, comments, slanders, using bad
language, using inappropriate layouts and manners when sending emails to
customers. Etiquette, restrictions and monitoring can manage these.
 Malicious use of emails is more dangerous, cyber bullying, threatening
behaviour, the spreading of materials such as images, viruses, leaked
information, malware etc. These are harder to stop as the emails are already
internal but they can cause damage to the company, prosecutions,
reputations being lost. Click here and here for the damage though
inadvertent use.
Task 5 – P4.5 – Using 2 different business models and the Report Template,
define the Companies Policy on Email procedures.

Ineffective use of Emails
Business 1
Scenario
Criteria
1
2
Malicious Use of Emails
Business 2
3
4
5
6
7
8
9
Business 1
10
11
12
13
14
15
Business 2
16
17
18
19
20
Assessment
Cyber Bullying is common in the outside world, emails, texts, Facebook
comments, tweets etc., it is very easy to get and use IT for these purposes.
There are news articles all the time that pick up on these. Policies within
businesses are written to limit this down, when someone prosecutes, a
company can become involved if it happens in the workplace and is not dealt
with. The workplace is a hotbed of tensions, of personalities and potential
problems. It is in the companies best interest to reduce down their
involvement in this.
 Monitoring is the simplest ICT method, all emails and stored, all internet
activity monitored, audit trails and network logs will track all internet activity
that goes through the system. Company phones and conversations with
clients, customers and suppliers are recorded etc. this constant monitoring
and pervasive tagging may seem over the top but it works, staff who are
afraid of getting caught will limit their activities.
 Click here and here for examples of how cyber bullying can affect the
reputation and finances of a company.
Task 6 – P4.6 – Using 2 different business models and the Report Template,
define the Companies Policy on Cyber Bullying and tracking procedures.

Cyber bullying
Business 1
Scenario
Criteria
1
2
Activity Tracking
Business 2
3
4
5
6
7
8
9
Business 1
10
11
12
13
14
15
Business 2
16
17
18
19
20
Assessment
Within every company there is sensitive information, staff details, customer
details, reports, staff reviews, medical information and other information that
needs to be protected under the Data protection Act. This is a given, information
needs protecting but sometime sit also needs to be seen and not changed. Access
privileges are set on two levels, staff rights of access and file rights of access.
 For staff, limiting down folders, hiding information, storing things in different
locations etc. this makes it more difficult to illegally or accidentally access, giving
staff access privileges such as read rights, copy rights, and delete rights set the
network controls on how those files are seen and read. For instance the network
manager can see everything because they need to set the rights but is bound by a
code of confidentiality, a standard office worker can see some customer
information but only through granted access as related to their job. Abusing this
privilege or attempting to access materials above their pay grade is considered a
breach of the Computer Misuse Act.
 Click here and here for examples of how abusing access privileges can affect the
reputation and finances of a company.
Task 7 – P4.7 – Using 2 different business models and the Report Template, define
the Companies Policy on Access Privileges procedures.

Access Privileges
Business 1
Scenario
Criteria
1
2
3
4
5
Business 2
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Assessment
Backups are vital within a company and disaster recovery plans are linked to the levels,
depth and location of these backups. To lose a connection for a minute for some
companies can be annoying, possibly expensive, to be down for a day can cause a
serious drop in profitability, to be down for a week will break a lot of companies. This
is why businesses draw up a disaster recovery plan, and why backing up information,
hourly, nightly and weekly is vital to this.
 How fast a company can recover its systems is the key to this, PSN network was down
for several days costing the company in the range of $18bn in reputation and
compensation, RBS set aside £125m because of its ICT loss in February 2013. The IT
disaster recovery plan after the Kobe Earthquake in 1995 was immense, a similar
earthquake like March 2011 was less expensive because companies planned for it, had
backups, had external sites, had cloud and network storage. For some companies the
recovery time was hours.
 By law, schools backup their files nightly and weekly, keep a backup in a fireproof safe
and store a copy of the network off-site. Think of what a large company with a turnover
of 100 times a school will need to do.
 Click here and here for examples of how abusing Backup and Disaster Recovery can
affect the reputation and finances of a company.
Task 8 – P4.8 – Using 2 different business models and the Report Template, define the
Companies Policy on Backup and Disaster Recovery procedures.

Backup Policy
Business 1
Scenario
Criteria
1
2
Disaster Recovery Policy
Business 2
3
4
5
6
7
8
9
Business 1
10
11
12
13
14
15
Business 2
16
17
18
19
20
Assessment
Every new employee signs an AUP agreement, even if they do not physically write it
down, all companies with computers have them. The physical and software security on
a network is designed to almost all of the breaches that might happen. There are
programs installed on most systems that help this, Novell Client, IIS, IP addressing,
Login names and passwords, Firewalls, Virus Checkers, Proxy server software.
 Just having the agreement is half the cure, staff can be fired for computer misuse, they
sighed the AUP, they can have their job changed, they signed the AUP, they can have
privileges removed, they signed the AUP.
 Setting user levels also benefits the network Security, setting protocols and rights of
access. And then there is external security, SSL, remote access, restricted service
access, limited external access to files and more companies are moving across to cloud
security for external files. At the end of the day, any company with more than 20 staff
will have a network team that spends their days securing the network, finding new
breaches, blocking new gaps, locking down new VPN’s, updating banned logs and
monitoring incoming, outgoing and internal network activity.
 Click here, here and here for examples of how abusing Network Security and AUP
policies can affect the reputation and finances of a company.
Task 9 – P4.9 – Using 2 different business models and the Report Template, define the
Companies Policy on Network Security and Policy procedures.

Network Security
Business 1
Scenario
Criteria
1
2
AUP Policy
Business 2
3
4
5
6
7
8
9
Business 1
10
11
12
13
14
15
Business 2
16
17
18
19
20
Assessment
Just as policies are in place, computers are locked, windows are protected, software
secure, then someone steals the box. Laptops, tablets, phones, memory sticks, portable
hard drives, keyboards, mice and even the cables that connect them are at risk. Physical
controls vary from company to company depending on the threat and the expense. A
school would have locks on the doors, locks on the back of the computer and perhaps
smoke alarms and movement sensors in the room. But this is not enough to stop theft or
damage and for every computer missing or machine down due to partial or complete
damage, there is a loss of business function. So we lock the windows, close the curtain,
secure the rooms so no-one is in there without staff presence, security pen mark,
infrared marking, we check each room after the lesson is done. But there are still things
missing, mice, keyboards, cables unplugged etc.
 In larger companies the physical controls also include card swipes, keypad security,
fingerprint logins, laptop locks, video cameras, grills, screen protectors, guards, dogs,
RFID tracking. Some companies even put silent alarms on the doors that destroy
hardware that is removed from the room like banks and cash.
 At the end of the day physical prevention and being seen to be preventing is a good
deterrent, specifically against opportunist thieves.
 Click here, here and here for examples of how abusing Physical Controls can affect the
reputation and finances of a company.
Task 10 – P4.10– Using 2 different business models and the Report Template, define the
Companies Policy on Physical Controls procedures.

Physical Controls
Business 1
Scenario
Criteria
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Business 2
18
19
20
Assessment
IT asset management is an important part of any business strategy. It usually involves
gathering hardware and software inventory information which is then used to make
decisions about hardware and software purchases. IT inventory management helps a
company manage their systems more effectively and saves time and money by avoiding
unnecessary asset purchases and promoting the better use of existing resources.
Businesses that develop and maintain an effective IT asset management program further
reduce the incremental risks and related costs of advancing IT demands on projects
based on old, incomplete and/or less accurate information.
 Hardware asset management is the management of the physical components of
computers and computer networks, from acquisition through disposal. Common business
practices include request and approval process, procurement management, life cycle
management, redeployment and disposal management.
 Think of it as replacing broken stuff before it is broken, ordering paper before the paper
runs out, replacing IT equipment every 3 years, MOT’ing current hardware, hotswopping, cascading, and finding new tools for old jobs. Think bathroom, think toilet
paper, think Andrew Puppy.
 Click here, here and here for examples of how abusing Asset Management can affect the
reputation and finances of a company.
Task 11 – P4.11 – Using 2 different business models and the Report Template, define the
Companies Policy on Asset Management procedures.

Asset Management
Business 1
Scenario
Criteria
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Business 2
18
19
20
Assessment





User Responsibility – The AUP policy lays down the rules but these are ethereal, no
frivolous emails, but what is frivolous. No Internet Searching, but what if it is
necessary, how much should be spent finding the right information and what if the
link goes somewhere it should not, what about Pop-Ups. And printing, single sided
or double, colour or B&W.
Self control is a big issue in business, the Water Cooler philosophy, how much down
time can a member of staff take advantage of to alleviate stress. Personal
responsibility is something that is ingrained into staff in most companies, the love
of the job, the devotion to the employer. Happy staff make productive staff. Good
internet, email and file etiquette is hammered home but it is still something that is
specific for the task. If it was the last page in the printer, would you go out of your
way to put more paper in.
And at what point is it not your job, if a mouse is unplugged should you plug it
back in. And tomorrow, and the next day, and every time a certain person walks
past your desk. Should you replace the toner cartridge, should you click on the
repair button in Windows, should you delete files on a shared drive just because
you can.
This may all seem trivial but the self responsibility issue in companies can affect
productivity, morale, personal space, and can affect customer care.
Click here and here for examples of how abusing User Responsibility can affect the
reputation and finances of a company.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Assessment
Issue Reporting – Most Intranets have a link on them to report a
network issue, but all networks have software for recording their own
issues. Tracking through network logs, web logs, email logs etc. and
linking this through the portal allows a network manager to allocate
resources and staff to repairs as they happen. For instance a printer log
will tell the system when the cartridge is running low or paper is
running out, a linked version will then order a replacement.

Similarly a web log records activity, looks at patterns, checks visited
sites for issues and puts into place protocols that block them or caches
them.

Staff reporting of issues pre-empts this, reducing down the need to
wait for a fault report and allows a quicker turnover of repairs. Good
business practice is to take advantage of both of these, personal and
log, in order to reduce downtime, improve efficiency and alleviate staff
stress.

Click here and here for examples of how abusing Issue Reporting can
affect the reputation and finances of a company.
Task 12 – P4.12 – Using 2 different business models and the Report
Template, define the Companies Policy on User Responsibility and Issue
Reporting procedures.

User responsibility
Business 1
Scenario
Criteria
1
2
Issue reporting
Business 2
3
4
5
6
7
8
9
Business 1
10
11
12
13
14
15
Business 2
16
17
18
19
20
Assessment
For your two companies you will need to make recommendations for the
improvements of their policies. Each policy has something that could be
made more secure, either relate to their contract of employment or to
their hiring, user or
 Recommend modifications to policies and guidelines for managing
organisational IT security issues
Task 13 – D1.1 – Using 2 different business models and the Report
Template, recommend modifications to policies and guidelines for
managing organisational IT security issues.

Business 1
Business 2
Guidelines on User names
Guidelines on Passwords
Guidelines on User names
Guidelines on Passwords
Ineffective use of Emails
Malicious Use of Emails
Ineffective use of Emails
Malicious Use of Emails
Cyber bullying
Activity Tracking
Cyber bullying
Activity Tracking
Access Privileges
Access Privileges
Backup Policy
Disaster Recovery Policy
Backup Policy
Disaster Recovery Policy
Network Security
AUP Policy
Network Security
AUP Policy
Physical Controls
Assets Management
Physical Controls
Assets Management
User responsibility
Issue reporting
User responsibility
Issue reporting
Scenario
Criteria
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Assessment




All employees have an employment contract with their employer. A contract is an
agreement that sets out an employee’s:
1. employment conditions
2. rights
3. responsibilities
4. duties
These are called the ‘terms’ of the contract. Employees and employers must stick to a
contract until it ends (e.g. by an employer or employee giving notice or an employee
being dismissed) or until the terms are changed (usually by agreement between the
employee and employer). If a person has an agreement to do some work for someone
(like paint their house), this isn’t an employment contract but a ‘contract to provide
services’.
Accepting a contract - As soon as someone accepts a job offer they have a contract
with their employer. An employment contract doesn’t have to be written down.
Contract terms - The legal parts of a contract are known as ‘terms’. An employer
should make clear which parts of a contract are legally binding. Contract terms could
be:
1. in a written contract, or similar document like a written statement of employment
2. verbally agreed
3. in an employee handbook or on a company notice board
4. in an offer letter from the employer
Scenario
Criteria
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Assessment

Implied terms – These are terms that are automatically part of a contract even if they’re not
written down. Examples of an implied term include:
1.
employees not stealing from their employer
2.
your employer providing a safe and secure working environment
3.
a legal requirement like the right to a minimum of 5.6 weeks’ paid holidays
4.
something necessary to do the job like a driver having a valid licence
5.
something that’s been done regularly in a company over a long time like paying a Christmas
bonus
6.
If there’s nothing clearly agreed between you and your employer about a particular issue, it
may be covered by an implied term.

Collective agreements - An employer may have an agreement with employees’ representatives
(from trade unions or staff associations) that allows negotiations of terms and conditions like
pay or working hours. This is called a collective agreement. The terms of the agreement could
include:
1.
how negotiations will be organised
2.
who will represent employees
3.
which employees are covered by the agreement
4.
which terms and conditions the agreement will cover

Written statement of employment particulars - An employer must give employees a ‘written
statement of employment particulars’ if their employment contract lasts at least a month or
more. This isn’t an employment contract but will include the main conditions of employment.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Assessment
The employer must provide the written statement within 2 months of the start of
employment. If an employee works abroad for more than a month during their first
2 months’ employment, the employer must give them the written statement before
they leave.
 What a written statement must include
 A written statement can be made up of more than one document (if the employer
gives employees different sections of their statement at different times). If this
does happen, one of the documents (called the ‘principal statement’) must include
as a minimum: the business’s name, the employee’s name, job title or a
description of work and start date, if a previous job counts towards a period of
continuous employment, the date the period started, how much and how often an
employee will get paid.
 Also hours of work (and if employees will have to work Sundays, nights or
overtime, holiday entitlement, where an employee will be working and whether
they might have to relocate, if an employee works in different places, where these
will be and what the employer’s address is
 As well as the principal statement, a written statement must also contain
information about how long a temporary job is expected to last, the end date of a
fixed-term contract, notice periods, collective agreements, pensions, who to go to
with a grievance, how to complain about how a grievance is handled, how to
complain about a disciplinary or dismissal decision.
Task 14 – P5.1 – Describe in brief terms what a Contract of Employment is.

Scenario
Criteria
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Assessment
Why it is necessary
 Hacking has been around almost as long as the Internet; some
people just love to try and break into a computer system.
 Prior to 1990, there was no legislation in place to tackle the
problems caused by hacking. Although everyone knew that it was
wrong and should be against the law, there was nothing that
anyone could do about it.
 As the problem grew, it became apparent that specific legislation
was needed to enable hackers to be prosecuted under the law.
So, in 1990, the Computer Misuse Act was passed.
 The Computer Misuse Act (1990) recognised the following new
offences:
◦ Unauthorised access to computer material
◦ Unauthorised access with intent to commit or facilitate a crime
◦ Unauthorised modification of computer material.
◦ Making, supplying or obtaining anything which can be used in
computer misuse offences.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Assessment
At the end of the day the Computer Misuse Act is there to
prevent unauthorised access or damage. The things that it covers
without mentioning the names include Viruses (creating and
planting), Hacking (internally and externally) DDOS, Spam and
Junk emails, directed damage to systems with the intent on
causing any slowdown or hindrance to companies.
 Despite the 30 years of attempting stopping, hacking and Viruses
still happen to this day. Virus checkers, firewalls, constant
upgrades and preventative measures like SSL still have
weaknesses that can leave companies vulnerable.
 The Computer Misuse Act does not prevent the damage but is
there to punish those caught. The Act only applies to Britain,
every other country has their own versions but some countries do
not have any.
Task 20 – P6.2 - Produce a report describing the Computer Misuse
Act, and what protections for businesses it provides.

What is it?
Scenario
Criteria
1
2
3
4
How your Company could Adhere to Legislation
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Assessment
Task 1 – P4.1 – Describe for your School why there is a need for an IT policy to be in
place and the dangers that exist that the policy is designed to protect against.
Task 2 – P4.2 – Using 2 different business models and the Report Template, define the
Companies Purpose, Functions, Location and Types of Data they manage from day to
day.
Task 3 – P4.3 – Using 2 different business models and the Report Template, define the
Policy Purpose and Policy Audience.
Task 4 – P4.4 – Using 2 different business models and the Report Template, define the
Companies Policy on Passwords procedures.
Task 5 – P4.5 – Using 2 different business models and the Report Template, define the
Companies Policy on Email procedures.
Task 6 – P4.6 – Using 2 different business models and the Report Template, define the
Companies Policy on Cyber Bullying and tracking procedures.
Task 7 – P4.7 – Using 2 different business models and the Report Template, define the
Companies Policy on Access Privileges procedures.
Task 8 – P4.8 – Using 2 different business models and the Report Template, define the
Companies Policy on Backup and Disaster Recovery procedures.
Task 9 – P4.9 – Using 2 different business models and the Report Template, define the
Companies Policy on Network Security and Policy procedures.
Task 10 – P4.10– Using 2 different business models and the Report Template, define the
Companies Policy on Physical Controls procedures.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Assessment
Task 11 – P4.11 – Using 2 different business models and the Report Template, define the
Companies Policy on Asset Management procedures.
Task 12 – P4.12 – Using 2 different business models and the Report Template, define the
Companies Policy on User Responsibility and Issue Reporting procedures.
Task 13 – D1.1 – Using 2 different business models and the Report Template, recommend
modifications to policies and guidelines for managing organisational IT security issues.
Task 14 – P5.1 – Describe in brief terms what a Contract of Employment is.
Task 15 (P5.2) - Produce a report describing how DBS checks can have an impact on
Employment Contracts and can affect Employee choice..
Task 16 – P5.3 - Using 2 employment contracts, one admin staff or one employee and one
contract staff, analyse in a report with evidence how these contracts can affect security
within a business.
Task 17 – D2.1 – Using 2 different business models and the Report Template, explain and
evaluate how Employment Contracts can affect the security of your business.
Task 18 – D2.2 – Make recommendations and evaluate How these recommendations to
Employment Contracts would improve the policies and guidelines.
Task 19 – P6.1 - Produce a report describing the risks and the measures employees
/employers need to consider when dealing within data held
Task 20 – P6.2 - Produce a report describing the Computer Misuse Act, and what
protections for businesses it provides.
Scenario
Criteria
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Assessment
Download