Anti-Virus Software

 

Anti-Virus software is not only required to prevent infection from the internet (either e-mail or web-sourced). Viruses may also be introduced from diskettes or CD's. No anti-virus package will prevent all infections, as they are only updated in response to infections. It is essential that users update such software on a regular basis, but also keep vigilant for potential threats. A policy of not opening e-mail attachments from unexpected sources can be a useful way of preventing infection.

 

Firewalls

 

A firewall is useful where there is any external connectivity, either to other networks or to the internet. It is important that firewalls are properly configured, as they are a key weapon in combating unauthorised access attempts. As firewalls are available for free download from the internet, they should routinely be installed by all data controllers and processors. This will become more important as persons progress to "always-on" internet connections, exposing themselves to a greater possibility of attack.

 

Automatic screen savers

 

Most systems allow for screensavers to activate after a period of inactivity, on the computer. This automatic activation is useful as the alternative manual locking of a workstation requires positive action by the user every time he/she leaves the computer unattended. Regardless of which method an organisation employs, computers should be locked when unattended. This not only applies to computers in public areas, but to all computers. It is pointless having an access control system in place if unattended computers may be accessed by any staff member.

 

Logs and Audit trails

 

It is of course pointless having an access control system and security policy if the system cannot identify any potential abuses. Consequently, a system should be able to identify the user name that accessed a file, as well as the time of the access. A log of alterations made, along with author/editor, should also be created. Not only can this help in the effective administration of the security system, its existence should also act as a deterrent to those staff tempted to abuse the system.

 

The Human Factor

 

No matter what technical or physical controls are placed on a system, the most important security measure is to ensure that staff are aware of their responsibilities. Passwords should not be written down and left in convenient places; passwords should not be shared amongst colleagues; unexpected e-mail attachments should not be opened unless first screened by anti-virus software.

 

IS17799 Certification

 

The National Standards Authority of Ireland has set a standard for information security management systems. If a body is certified to be IS17799 compliant, it would demonstrate compliance with the security requirements of the Data Protection Acts, 1988 & 2003.

 

Further information on IS 17799 may be found on the NSAI website.

 

Remote Access

 

Where a worker is allowed to access the network from a remote location (e.g. From home or from an off-site visit), such access is creating a potential weakness in the system. Therefore, the need for such access should be properly assessed and security measures reassessed before remote access is granted.

 

Wireless networks

 

Access to a server by means of a wireless connection (such as infrared or radio signals) can expose the network to novel means of attack. The physical environment in which such systems are used may also be a factor in determining any weakness in the system security. As with remote access, wireless networks should be assessed on security grounds rather than solely on apparent ease of use.

 

Laptops

 

Laptops, personal organisers and other form of portable computers are especially vulnerable, as there is not only a higher risk of theft, but also a new risk of accidental loss. It would be a sensible precaution not only to have adequate security measures, but also to limit what data are placed on such machines in the first place. If practical, collected data should be downloaded at an early date with administrators reviewing the nature and quantity of data held.

 

Where laptops are the personal property of an individual, the data controller should have a contract in place to detail the conditions under which data may be processed on personal computers. A contract might also be advisable to cover all employee use of portable computers, especially concerning use of data where a person leaves the employment of a data controller.

 

Even where data are not routinely deleted from portable computers, such data should be backed up onto the network. This will assist in keeping the data on the network accurate and up to date, as well as defending against the accidental loss or destruction of data on portable computers.

 

Back-up systems

 

A back up system is an essential means of recovering from the loss or destruction of data. While some system should be in place, the frequency and nature of back up will depend, amongst other factors, on the organisation concerned and the nature of data being processed. The security standards for back-up data are the same as for live data.

 

click here for more information on back-up data

 

Physical Security

 

Physical security includes issues like perimeter security (office locked and alarmed when not in use); computer location (so that the screen may not be viewed by members of the public); disposal (so that computer print outs containing sensitive data are securely disposed of).

 

Address

Office Premises
Synergy House
10, Oakview Drive
Clonsilla
Dublin 15
Ireland

Contact Info

Tel: +353 (0)1 8215189
Mobile: +353 (0)87 2326927
Email: info@synergy.ie

Find Us