2003
DESCRIPTION
TRANSCRIPT
1Mark Kelly, McKinnon Secondary College
Format?
• a written report• a test • an annotated visual representation.
2
Official government tests show that 100% of sensible teachers use the test option
- Quick to do- Quick to mark- Perfect exam preparation
3
Beat it into your students…
• Physical security (doors, bars)
• Logical / electronic security (passwords, biometric)
• Procedural security (e.g. train staff to reject phishing, being suspicious of attachments, backing up data)
4
Mythbusters• Cover adware, trojans• Routers are NOT switches!• Firewalls do NOT stop viruses!• Firewalls need to monitor incoming and outgoing
data to be worthwhile– Hardware firewalls (e.g. home routers). and bad
software firewalls, check incoming but not outgoing data
• ITA just l-o-v-e-s the internet
5
KEY KNOWLEDGE
• KK4.2.01 - an overview of the legal and ethical reasons why organisations should monitor and control the storage, communication and disposal of information;
6
• Study design does not list relevant laws except in the glossary. Students need to know about:
– Privacy Act 1988 (Federal)– Information Privacy Act (Vic.)– Health Records Act 2001 (Vic.)– Copyright Act, 1968 (Federal)
7
• Who is subject to the laws• What is outlawed or allowed• Consequences of breaking the laws
8
• Do NOT refer to – The Privacy Act (Private Sector) Amendment)– The Copyright Act (Digital Agenda) Amendment
• They are both now incorporated into their parent acts and do not exist independently (as far as the VCAA is concerned)
9
• Privacy Act 1988 - affects – federal government organisations (e.g. Medicare, tax
office) and private companies working for them – non-government organisations turning over $3
million a year or more (which is quite rare)– non-government organsisations of any size that trade
in personal information for profit– non-government organisations that store health or
medical information on people (not including their own employees)
10/37
• The national privacy principles, which underlie all of the federal and state privacy laws...
• A basic knowledge of the main points will suffice...
11
• “Info” = personal information. Many principles have commonsense and emergency exclusions.
• 1. Collection – only collect info you need to do your job• 2. Use and Disclosure – don’t use info for any purpose other than the reason it was collected. • 3. Data Quality – ensure the info you it collect is accurate, complete and up to date.• 4. Data Security – protect info from misuse e.g. unauthorised access, modification or
disclosure, or loss. • 5. Openness – publish a clearly expressed policy on its management of info• 6. Access and Correction – provide individuals with access to the info you hold on them• 7. Identifiers – don’t identify people using other organisations' identifiers, such as a Tax File
Number or Medicare number.• 8. Anonymity - Where possible, individuals need not identify themselves when entering into
transactions.• 9. Transborder data flow – you may not transfer info about people to someone (other than
the organisation or the individual) who is in a foreign country without the consent of the individual.
• 10. Sensitive Information - An organisation must not collect sensitive information about an individual unless the individual has consented, or law requires the collection.
12
• Now includes the digital agenda amendment (2000)
• Basic coverage of main points of the law will suffice
13
• Protects intellectual property e.g. books, songs, MP3s, MPEGs, digital books, films recorded digitally, websites, software, electronic/computer games.
• The owner or licencee of intellectual property is the only one who has the right to publish, transmit, convert to a different format (e.g. DVD to DivX), or profit from it.
• Copyright owners have the right to use technologies to protect their IP - such as copy protection - and the copyright law specifically prohibits the importation of any device designed to counteract such technologies.
• If anyone changes the copyright notice on a published work (e.g. removing it) they are hit especially hard and can face criminal charges as well as being sued (because other people will not know of the original copyright restrictions and may innocently redistribute it).
14
©opyright• In Oz, US and the UK, copyright is automatic once
intellectual property has been recorded in some tangible form (e.g. recorded electronically, written down, filmed). You do not have to register copyright.
• You do not have to put the © symbol or your name and date on a copyrighted work, but it is recommended and conventional.
• Just because a publication or website does not have a copyright notice on it does not mean that it is not copyrighted and is available to be used freely. Basically, unless there's a statement that you can use it, assume it is copyrighted.
15
©opyright• Just because you may never be caught breaking copyright does not
make it legal! • At least one Australian copyright violator has been arrested, taken
to America, charged, tried, convicted and jailed in America. • Copyright is different to registered trademarks and patents. They
do have to be registered.• Ideas cannot be copyrighted; the expression of an idea can be
copyrighted. e.g. you cannot copyright the idea of a love song, but the Beatles can copyright 'She Loves You Yeah Year Yeah'.
• There are some exceptions to the copyright law to allow research, study, satire and review. The general rule is that for those purposes one can use 10% of a work or a chapter.
16
Key Knowledge
• KK4.2.02- accidental and deliberate actions and technical failures that threaten the security of data and information stored, communicated and disposed of by organisations;
17
Threats
• accidental actions– Untrained employees– Badly designed software allows dangerous actions– Deleting the wrong similarly-named file– Removing ‘obsolete ‘ data too soon– Knocking equipment over– etc
18
Threats
• deliberate actions– Hackers– Phishers– Vandals– Disgruntled employees– Thieves– Bored students– Malware– etc
19
Threats
• technical failures– Hard disk crashes– Equipment failure e.g. Power supplies– Ageing equipment– Problems caused by ‘updates’– Dust, heat, humidity, smoke– Wear & tear
20/37
Key Knowledge
• KK4.2.03 - procedures and equipment for preventing unauthorised access to data and information and for minimising the loss of data accessed by authorised users;
21
• “Need to know” data access• Locking doors• Keeping the public, ex-employees away
from workstations• Keeping monitors averted from the gaze
of bystanders• Using logins and passwords• Using encryption• Using network auditing to log actions• Following a tested, documented backup
regime• Training staff about social engineering,
attachments, good filenaming etc22
Equipment• Router / firewall• Anti-virus, anti-trojan software• Encryption software• Locks on doors, restricted keys• Surveillance cameras• Swipecards• Bars on windows• Biometric ID• Redundant equipment e.g. Backup PSU, NIC, hot-swap
RAID drives• Fire fighting equipment, alarms
23
Key Knowledge
• KK4.2.04 - possible consequences for organisations of the violation of, or failure to follow, security measures;
24
• Legal– Penalties under the Privacy Act– Stiff civil and criminal sanctions under the
Copyright Act• Social– Public embarrassment– Loss of reputation and public trust– Loss of customers
• Financial– Fines– Loss of trade
25
• Loss– Loss of valuable confidential information
(e.g. Trade secrets, intellectual property)– Loss of income due to unavailability of
information or services– Trouble with the tax department if tax
records are lost
26
Key Knowledge
• KK4.2.05 - disaster recovery strategies, including testing;
27
“including testing” ?
• Testing of the strategy, we must assume.
28
Disaster recoveryOne word...
29
What to cover
• Good backup scheme– Regular– Documented, understood– Tested– Automatically scheduled– Stored offsite
30/37
Magic words
• Full• Partial• Incremental• Differential
31
Media
• DAT tape• USB hard disk• USB key• CD, DVD• Online
32
Recommended scheme
• Grandfather-father-son with
• Daily, weekly, monthly, annual tapes
33
Key Knowledge
• KK4.2.06 - criteria for evaluating the effectiveness of data security management strategies.
34
Effectiveness
• Effectiveness = Quality, accuracy, how well it works
• Not to be confused with efficiency– Don’t talk about cost, number of staff required,
time it takes to operate etc.
35
Criteria– Reliability (error rate)– Convenience for authorised data users– Accuracy– Response time– Ease of use– Strength– Flexibility, adaptability, extendability,
adjustability– How much data can be recovered after a
disaster
36
• Textbook, >1 preferably!• ITA mailing list - www.edulists.com.au• VITTA - www.vitta.org.au• IT Lecture Notes – vceit.com – this slideshow will be there• VCAA –www.vcaa.vic.edu.au• QATs – www.qats.com.au
37