THE COPPERBELT UNIVERSITY

SCHOOL OF INFORMATION AND COMMUNICATION TECHNOLOGY

DEPARTMENT OF COMPUTER SCIENCE
Data Processing

UNIT 7: Security Considerations in Data Processing

Introduction
The tremendous and intensive use of information for several different tasks makes data security,
trustworthiness and privacy increasingly critical for these functionalities’ in day-today living. The
protection of data from unauthorised access, use, change, disclosure and destruction by using
methods to ensure network security, physical security and file security based on a collection of
standards and technologies that protect data from intentional or accidental destruction, modification
or disclosure is known as data security. Data security can be applied through various techniques and
technologies including administrative controls, organizational standards, etc. and other safeguarding
techniques that limit or preclude access to unauthorized or malicious users or processes.

The fundamental question which emerges from this extensive use of data is that why is it important
to secure this data and how is this objective to be achieved. Different organizations create, collect,
store, receive or transmit data within an organization as well as between organizations/associations
and individuals or from one organization to an organization. It doesn’t matter what device, technology
or process is employed to manage, store, collect or distribute data, but it must be protected as data
breaches may result in litigation and huge penalties alongside damage to an organization’s reputation.
Therefore, the importance of protecting data from security threats is more important today than ever
before. Threats to databases are often numerous which can either be accidental or intentional and in
either case security of the database and the entire system, including the network, operating system,
the physical area where the database resides and the personnel access all have to be considered and
protected accordingly.

Data security and Data Management

Data security is necessary in the following situations:

• Theft and fraud

• Loss of availability of data
• Loss of confidentiality
• Loss of data privacy
• Loss of data integrity
It is noteworthy that these situations often cause cumulative losses due to inter dependencies and
hence a loss due to one situation can affect multiple areas in the same organisation.

Data management
Data management is the responsible stewardship of data throughout its lifecycle. The main aim of
data management helps people and organizations for data to be used within the boundaries of policies
and regulations for the maximum benefit of these organizations and businesses and therefore is very
valuable as an intangible asset. Data management can be achieved by the practise of collection,
storage and usage of data in a secure, efficient and cost-efficient manner. Therefore, efficient ways
and means are sought by various organizations for data management. The management of data is
done through various platforms and include databases, data analysis and more such tools like
Microsoft SQL server, Google cloud, Amazon web services, etc.

There are five components to data management:

• Acquisition
• Utilization
• Maintenance
• Access
• Protection

Effective data management requires appropriate acquisition, utilization, maintenance, access, and
protection of data. Data management depends on information confidentiality and criticality.

Security Requirements (CIA)

The core elements of data security are confidentiality, integrity and availability. Also known as the CIA
triad, this is a security model and guide for organizations to keep their sensitive data protected from
unauthorized access.

The three governing principles are as follows:

i. Confidentiality - Confidentiality or privacy refers to measures taken to ensure that data-

particularly sensitive data, is protected from unauthorised access. Keeping in mind the age of
ultra-modern technology, privacy is required to be a basic design consideration. The extent of
level of confidentiality can vary based on the data type and/or regulation.
ii. Integrity - Integrity pertains to safeguarding the accuracy of data as it travels through
workflows. There should be measures taken to protect data from unauthorized deletion or
modification and to quickly reverse the damage in the event of a breach.
iii. Availability – Availability means providing seamless and continuous access to users through
robust servers and network infrastructure with high availability mechanisms built into system
design.

Security Threats and Attacks

In today’s day and age there is a host of new and evolving cyber security threats that has the
information security industry on high alert. There is an increasingly more sophisticated cyber-attacks
involving malware, phishing, cryptocurrency. Therefore, the data and assets of the corporations,
governments and individuals are at constant risk. The information technology industry suffers from a
severe shortage of cyber security professionals and due to the ever-evolving new technology being
introduced periodically, there has been an exponential rise in cybercrime.

The following cyber security threats are constantly growing and creating issues related to data privacy:

i. Phishing attacks - These are carefully targeted digital messages transmitted to fool people into
clicking on a link that can then install malware or expose sensitive data. Nowadays everyone
is aware of the risks of email phishing or of clicking on suspicious-looking links, leading to
hackers upping their antics by distributing fake messages with the hope that the recipients
will unwittingly compromise their network system. Such attacks enable hackers to steal user
logins, credit card credentials and other types of personal financial information, as well as gain
access to private databases.
ii. Ransomware attacks - Hackers deploy technologies that enable them to literally kidnap an
individual or organization’s databases and hold all of the information for ransom. These types
of attacks are believed to cost victims billions of dollars every year.
iii. Cyber-physical attacks - The technology that has enabled to modernize and computerize
critical infrastructure also brings risk. There is an ongoing threat of hacks targeting electrical
grids, transportation systems, etc., which represent a major vulnerability.
iv. State-sponsored attacks - Hackers look to make profit through stealing individual and
corporate data. Now even nation states use cyber skills to infiltrate other governments and
perform attacks on critical infrastructure. Cyber-crime today is a major threat not only to the
private sector and individuals but also towards the governments and nations as a whole. Many
such attacks target government-run systems and infrastructure, but private sector
organizations are also at risk.

Security Measures and Solutions

Today’s security threats are inventive according to the new information technology launched. These
security threats constantly evolve and are harmful to an organization as they steal, harm or corrupt
information stored in an organization’s system. An organization should arm themselves with resources
to safeguard themselves from these ever-growing security threats. Therefore, the CIA triad though
being a security model and guide for organizations to protect their sensitive data there are a few other
data security considerations that one should be aware of and these include;

i. Access Control security - By restricting access of users who have been granted access to
information, thereby results in monitoring who has access to a particular data. Therefore, in
cases of data theft, sifting through the timelines of access granted to users can be easier to
track down the culprit.
ii. Data encryption - Data when kept unencrypted leads to misuse of personal data by
cybercriminals. Therefore, data has to be encrypted by usage of unique encryption codes, so
as to avoid leakage of vital information stored in databases. When data has been encrypted,
only the user who has access to such a data has the decryption code, thus resulting in
prevention of data theft.
iii. Email security - It is a procedure to protect an email account and the contents on an email
account from unauthorised access. Therefore, measures like strong email passwords, end-to-
end encryption of emails or messages that are sent from one person to another result in
prevention of misuse of data, as emails are a popular forum for hackers to spread malware,
spam and phishing attacks. For example- end-to-end encryption used by WhatsApp.
 iv. Risk assessment analysis - Organizations have to take a proactive approach while dealing with
information security concerns. The aim of conducting a risk assessment is to identify the risks
pertaining to information stored in an organizations system. By conducting risk assessment
analysis, an organization can understand and assess internal and external risks to their
security, confidentiality and personal information stored in various storage media like laptops
and portable devices.
v. Monitor effectiveness - It is critical for an organization to verify security programs established
and to establish if such security programs manage cyber security measures implemented for
safeguarding an organization’s information or data. This when done through regular tests and
monitoring of information security programs annually or quarterly helps to assess the number
of attacks made to an organizations data.
vi. Third party issues - Website’s play a major role while showcasing an organization’s success.
Therefore, they implement third party tools to make their websites’ more interactive and
user-friendly and offer smooth connectivity for user interaction. These third-party tools help
in generating revenue for an organization’s website. Therefore, an organization has to
undertake to ensure that all reasonable steps have been taken prior to giving access to third
party service providers and that such third-party service providers apply the stringiest security
measures.
vii. Strong firewall - Firewall of a system is part of such a system’s cyber security measure. A
firewall enables the protection of a system from internet traffic and services it is exposed to.
These services are accessed by everyone who uses an internet. Therefore, firewalls enable to
control who gains access to an organization’s system like insider attacks which may originate
from within a network used by an organization. Antiviruses are for files and firewalls are
needed to protect from unauthorised access or usage of network. A firewall simply helps to
control Internet traffic that is generated by using a network for work.
viii. Antivirus protection - An antivirus protection can be gained in the form of antivirus software.
This software is a program designed to avoid, detect and deal with cyber security threats that
an organization may face. The process of an antivirus is to run background scans on a system
to detect and restrict unauthorised access in the forms of malware and to protect a system
from vulnerabilities it may face. These solutions are extremely important for data security and
must be installed on computer systems. These antivirus protections are available not only for
laptops and computers but also for mobile devices and help to fight unwanted threats to files
and data.
ix. Regular back-ups - To avoid loss of data, data should be regularly stored and kept somewhere
safe where it cannot be accessed or violated by anyone. Further, the securing of such data
helps in preventing accidental modification to data, theft of data, breach of confidentiality
agreements and avoid release of data prior to its verification and authentication.