data security levels and themes
Level 4 outcomes and performance criteria
Describe how personal data can be stored, used and shared by social media.
(a) Describe what data is. (b) Describe how and where data is stored. (c) State the main ways personal data is used online. (d) Describe how companies share personal data.
Identify the risks associated with storing and sharing personal data.
(a) Identify the main sources of risks to online data. (b) Identify the general principles of keeping personal data secure online. (c) Identify what types of personal data should and should not be shared online. (d) Identify real life examples of the negative impact of data sharing.
Apply basic practical methods of protecting personal data.
(a) Select strong passwords to keep data secure. (b) Check the security of websites before entering personal data. (c) Protect personal data in social media services.
Level 5 : LO and PC (text)
Describe the legal and ethical obligations around storing and sharing personal and business data.
(a) Describe the laws that apply to the storing and sharing of data.
(b) Describe the ethical considerations of organisations when storing and sharing data.
(c) Describe real life examples of best practice in the application of ethics within organisations.
Explain the causes and effects of data security breaches.
(a) Define a data security breach.
(b) Identify contemporary real life examples of data security breaches.
(c) Explain common causes of data security breaches.
(d) Explain the potential effects of a data security breach on individuals.
(e) Explain the potential effects of a data security breach on organisations.
Protect data against security breaches.
(a) Identify software that can be used to enhance data security.
(b) Identify hardware that can be used to enhance data security.
(c) Identify workplace rules that can be used to enhance data security.
(d) Apply selected methods of enhancing data security to a specific situation.
(e) Create a data security solution for a recent data security breach.
ds6 outcomes and performance criteria
Analyse the approach to data security made by organisations.
(a) Explain the cyber security challenges faced by small, medium and large companies. (b) Explain the cyber security challenges faced by different sectors. (c) Identify sources of best practice in cyber security. (d) Identify different types of security personnel and their roles in small, medium and large companies. (e) Compare physical, perimeter and internal network security. (f) Explain the importance of cyber resilience. (g) Investigate approaches to good business cyber security.
Investigate technologies and strategies used by businesses to protect customer data.
(a) Identify the major suppliers in the cyber security goods and services sectors. (b) Define current types of technology used for cyber security defence. (c) Explain how current defence technology works and the associated risks. (d) Explain the importance of patching and why software needs regularly patched. (e) Explain table top exercises and their purpose. (f) Explain real life strategies used by businesses to protect customer data.
Create a security strategy for a small business.
(a) Define the cyber security risks faced by small businesses. (b) Explain potential solutions to cyber security risks faced by small businesses. (c) Create a security strategy for a small business.
ds6 evidence tasks
EoU test LO 1, 2, 3ab SOLAR multiple choice coursework LO 3, security strategy for small business report/presentation checklist
You need to create a security strategy for a small business.
The scenario is that you have been appointed as the person responsible for creating a proportionate security strategy for a small business and present this to the owner or CEO.
Proportionate in this case means that, like all small businesses, you do not have millions of pounds to spend on the latest tech. You will need to show what the most important areas within the company needing protection are — for example a customer database.
You will need to show that you also have appropriate policies in place to make the company resilient to cyber attack. This will include backups, password policies, patching regimes and other good practice found in national information sources.
You will need to present your strategy to an audience in a manner that a small business owner, who may not be a technical expert, would understand.
Caroline owns a hairdressing business.
She has a computer in the back office that she uses for her accounts, VAT returns, Tax and dealing with suppliers. She transfers her documents via a USB device to a laptop when she wants to work from home.
There is also a computer in the reception area that has all the customer records and appointments within it. They are both Windows 95 computers. She has a full time receptionist and six hairdressers who get paid according to the number of appointments they have completed. The hairdressers do not have access to either computer but they all share a login on the receptionist’s computer to log phoned in appointments when the receptionist is out.
Caroline also has an open Wi-Fi link for her customers to access from their own devices as 3G/4G connection is poor in her building.
Area 1 — Recognise what data is at risk and what the risk is
Be aware that data essential to a business surviving differs between businesses.
Identify what that data is and where it is held.
Be able to articulate why it is important to the business.
Show awareness of why cyber criminals may be interested in this data as that will help to gauge how at risk the data is.
Area 2 — Boundary firewalls and internet gateways
The default administrative password for any firewall should be changed to an alternative, strong password.
Each rule on the firewall should be subject to approval by an authorised individual and documented.
Unapproved services that are typically vulnerable to attack (eg SMB, NetBUOS, rsh) should be blocked at the firewall by default.
The administrative interface used to manage the firewall configuration is disabled from the internet.
Area 3 — Securing the configuration
Unnecessary user accounts will be removed or disabled.
All default passwords for user accounts should be changed to an alternative, strong password.
Unnecessary software removed or disabled.
Auto run feature should be disabled on computers (to stop software programs running automatically).
Each computer should have a personal firewall activated and configured to block unapproved connections by default.
Managing user accounts
Managing access privileges including special access privileges, eg administrative accounts.
User accounts policy including security.
Area 5 — Malware protection
Malware protection software should be installed on all computers that are connected to or capable of connecting to the internet.
Malware protection software should be kept up to date.
Malware protection software should be configured to scan files automatically upon access and scan web pages when being accessed.
Malware protection software should be configured to perform regular scans of all files (eg daily).
Malware protection software should prevent connections to malicious websites on the internet (eg by using website blacklisting).
Area 6 — Patch management
Software running on computers should be licensed and supported by the software vendor to ensure security patches are made available.
Updates to software (including operating system) should be installed in a timely manner.
Out of date software should be removed from the computer.
All security patches should be installed in a timely manner (eg within 14 days of release).
data security levels and themes