1Mark Kelly, McKinnon Secondary College

Format?

• a written report• a test • an annotated visual representation.

2

Official government tests show that 100% of sensible teachers use the test option

- Quick to do- Quick to mark- Perfect exam preparation

3

Beat it into your students…

• Physical security (doors, bars)

• Logical / electronic security (passwords, biometric)

• Procedural security (e.g. train staff to reject phishing, being suspicious of attachments, backing up data)

4

Mythbusters• Cover adware, trojans• Routers are NOT switches!• Firewalls do NOT stop viruses!• Firewalls need to monitor incoming and outgoing

data to be worthwhile– Hardware firewalls (e.g. home routers). and bad

software firewalls, check incoming but not outgoing data

• ITA just l-o-v-e-s the internet

5

KEY KNOWLEDGE

• KK4.2.01 - an overview of the legal and ethical reasons why organisations should monitor and control the storage, communication and disposal of information;

6

• Study design does not list relevant laws except in the glossary. Students need to know about:

– Privacy Act 1988 (Federal)– Information Privacy Act (Vic.)– Health Records Act 2001 (Vic.)– Copyright Act, 1968 (Federal)

7

• Who is subject to the laws• What is outlawed or allowed• Consequences of breaking the laws

8

• Do NOT refer to – The Privacy Act (Private Sector) Amendment)– The Copyright Act (Digital Agenda) Amendment

• They are both now incorporated into their parent acts and do not exist independently (as far as the VCAA is concerned)

9

• Privacy Act 1988 - affects – federal government organisations (e.g. Medicare, tax

office) and private companies working for them – non-government organisations turning over $3

million a year or more (which is quite rare)– non-government organsisations of any size that trade

in personal information for profit– non-government organisations that store health or

medical information on people (not including their own employees)

10/37

• The national privacy principles, which underlie all of the federal and state privacy laws...

• A basic knowledge of the main points will suffice...

11

• “Info” = personal information. Many principles have commonsense and emergency exclusions.

• 1. Collection – only collect info you need to do your job• 2. Use and Disclosure – don’t use info for any purpose other than the reason it was collected. • 3. Data Quality – ensure the info you it collect is accurate, complete and up to date.• 4. Data Security – protect info from misuse e.g. unauthorised access, modification or

disclosure, or loss. • 5. Openness – publish a clearly expressed policy on its management of info• 6. Access and Correction – provide individuals with access to the info you hold on them• 7. Identifiers – don’t identify people using other organisations' identifiers, such as a Tax File

Number or Medicare number.• 8. Anonymity - Where possible, individuals need not identify themselves when entering into

transactions.• 9. Transborder data flow – you may not transfer info about people to someone (other than

the organisation or the individual) who is in a foreign country without the consent of the individual.

• 10. Sensitive Information - An organisation must not collect sensitive information about an individual unless the individual has consented, or law requires the collection.

12

• Now includes the digital agenda amendment (2000)

• Basic coverage of main points of the law will suffice

13

• Protects intellectual property e.g. books, songs, MP3s, MPEGs, digital books, films recorded digitally, websites, software, electronic/computer games.

• The owner or licencee of intellectual property is the only one who has the right to publish, transmit, convert to a different format (e.g. DVD to DivX), or profit from it.

• Copyright owners have the right to use technologies to protect their IP - such as copy protection - and the copyright law specifically prohibits the importation of any device designed to counteract such technologies.

• If anyone changes the copyright notice on a published work (e.g. removing it) they are hit especially hard and can face criminal charges as well as being sued (because other people will not know of the original copyright restrictions and may innocently redistribute it).

14

©opyright• In Oz, US and the UK, copyright is automatic once

intellectual property has been recorded in some tangible form (e.g. recorded electronically, written down, filmed). You do not have to register copyright.

• You do not have to put the © symbol or your name and date on a copyrighted work, but it is recommended and conventional.

• Just because a publication or website does not have a copyright notice on it does not mean that it is not copyrighted and is available to be used freely. Basically, unless there's a statement that you can use it, assume it is copyrighted.

15

©opyright• Just because you may never be caught breaking copyright does not

make it legal! • At least one Australian copyright violator has been arrested, taken

to America, charged, tried, convicted and jailed in America. • Copyright is different to registered trademarks and patents. They

do have to be registered.• Ideas cannot be copyrighted; the expression of an idea can be

copyrighted. e.g. you cannot copyright the idea of a love song, but the Beatles can copyright 'She Loves You Yeah Year Yeah'.

• There are some exceptions to the copyright law to allow research, study, satire and review. The general rule is that for those purposes one can use 10% of a work or a chapter.

16

Key Knowledge

• KK4.2.02- accidental and deliberate actions and technical failures that threaten the security of data and information stored, communicated and disposed of by organisations;

17

Threats

• accidental actions– Untrained employees– Badly designed software allows dangerous actions– Deleting the wrong similarly-named file– Removing ‘obsolete ‘ data too soon– Knocking equipment over– etc

18

Threats

• deliberate actions– Hackers– Phishers– Vandals– Disgruntled employees– Thieves– Bored students– Malware– etc

19

Threats

• technical failures– Hard disk crashes– Equipment failure e.g. Power supplies– Ageing equipment– Problems caused by ‘updates’– Dust, heat, humidity, smoke– Wear & tear

20/37

Key Knowledge

• KK4.2.03 - procedures and equipment for preventing unauthorised access to data and information and for minimising the loss of data accessed by authorised users;

21

• “Need to know” data access• Locking doors• Keeping the public, ex-employees away

from workstations• Keeping monitors averted from the gaze

of bystanders• Using logins and passwords• Using encryption• Using network auditing to log actions• Following a tested, documented backup

regime• Training staff about social engineering,

attachments, good filenaming etc22

Equipment• Router / firewall• Anti-virus, anti-trojan software• Encryption software• Locks on doors, restricted keys• Surveillance cameras• Swipecards• Bars on windows• Biometric ID• Redundant equipment e.g. Backup PSU, NIC, hot-swap

RAID drives• Fire fighting equipment, alarms

23

Key Knowledge

• KK4.2.04 - possible consequences for organisations of the violation of, or failure to follow, security measures;

24

• Legal– Penalties under the Privacy Act– Stiff civil and criminal sanctions under the

Copyright Act• Social– Public embarrassment– Loss of reputation and public trust– Loss of customers

• Financial– Fines– Loss of trade

25

• Loss– Loss of valuable confidential information

(e.g. Trade secrets, intellectual property)– Loss of income due to unavailability of

information or services– Trouble with the tax department if tax

records are lost

26

Key Knowledge

• KK4.2.05 - disaster recovery strategies, including testing;

27

“including testing” ?

• Testing of the strategy, we must assume.

28

Disaster recoveryOne word...

29

What to cover

• Good backup scheme– Regular– Documented, understood– Tested– Automatically scheduled– Stored offsite

30/37

Magic words

• Full• Partial• Incremental• Differential

31

Media

• DAT tape• USB hard disk• USB key• CD, DVD• Online

32

Recommended scheme

• Grandfather-father-son with

• Daily, weekly, monthly, annual tapes

33

Key Knowledge

• KK4.2.06 - criteria for evaluating the effectiveness of data security management strategies.

34

Effectiveness

• Effectiveness = Quality, accuracy, how well it works

• Not to be confused with efficiency– Don’t talk about cost, number of staff required,

time it takes to operate etc.

35

Criteria– Reliability (error rate)– Convenience for authorised data users– Accuracy– Response time– Ease of use– Strength– Flexibility, adaptability, extendability,

adjustability– How much data can be recovered after a

disaster

36

• Textbook, >1 preferably!• ITA mailing list - www.edulists.com.au• VITTA - www.vitta.org.au• IT Lecture Notes – vceit.com – this slideshow will be there• VCAA –www.vcaa.vic.edu.au• QATs – www.qats.com.au

37