OCR Level 2 CAMBRIDGE TECHNICAL

Transcription

1 Cambridge TECHNICALS OCR Level 2 CAMBRIDGE TECHNICAL CERTIFICATE/DIPLOMA IN IT IT security J/601/4057 LEVEL 2 UNIT 18 GUIDED LEARNING HOURS: 60 UNIT CREDIT VALUE: 10

2 IT SECURITY J/601/4057 LEVEL 2 Aim and purpose of the unit This unit will enable learners to recognise the threats to systems security and to know how to protect their systems from damage. It will also provide them with an understanding of the legal responsibilities that IT practitioners have when working with information systems. On completing this unit learners will be able to identify a range of threats to the security of IT systems and be able to identify which threats are most relevant to systems with which they work. Learners will also be able to identify a range of security methods available for IT systems and select the most appropriate methods for their own systems. They will identify any legal constraints on how they use information systems and the data which is held on them. The user will be able to develop a simple security plan and implement and test it to ensure that the systems are protected against relevant threats and design and use the correct documentation. 2

3 IT security Level 2 Unit 18 ASSESSMENT AND GRADING CRITERIA Learning Outcome (LO) Pass Merit Distinction The learner will: The assessment criteria are the pass requirements for this unit. The learner can: To achieve a merit the evidence must show that, in addition to the pass criteria, the learner is able to: To achieve a distinction the evidence must show that, in addition to the pass and merit criteria, the learner is able to: 1 Know the potential threats to the security of IT systems 2 Understand how to protect IT systems 3 Be able to apply security measures P1 identify the potential threats to the security of IT systems P2 outline the legislation that requires an organisation to protect its IT systems and data P3 discuss security methods for protecting IT systems and data P4 create a security plan for a small office or home network P5 implement a security plan P6 test a security plan M1 explain relevant security methods used for an identified system M2 create documentation to record outcomes of the implementation of the security plan M3 review test results against the predicted results of the security plan D1 justify why security methods for an identified system are effective D2 make improvements to the security plan, revising associated documentation 3

4 Teaching content The unit content describes what has to be taught to ensure that learners are able to access the highest grade. Anything which follows an i.e, details what must be taught as part of that area of content. Anything which follows an e.g, is illustrative. It should be noted that where e.g. is used, learners must know, and be able to apply, relevant examples to their work though these do not need to be the same ones specified in the unit content. LO1 Know the potential threats to the security of IT systems security threats software (e.g. poor design or poor coding, programmers leaving trapdoors allowing access without going through all the security checks, missing security patches) hacking (e.g. internal by employees, external by criminals, foreign agencies, terrorists) Phishing (e.g. or telephone or face-to-face contact seeking information such as usernames and passwords, pin numbers) Viruses (e.g. boot sector, browser hijacker, Direct Action (Vienna), file infector, macro, polymorphic) Worms (e.g. , internet, instant messaging, file sharing) spyware (e.g. adware,.url loggers, screen recorders, chat loggers, loggers) theft of software and/or hardware accidental damage (e.g. power surges, spillage of liquids on machinery, accidental erasure of data, breakage of hardware) intentional damage (e.g. destruction of data using either physical or software means, arson, water damage) environmental hazards (e.g. flood, earthquake, hurricane, fire) unauthorised access. LO2 Understand how to protect IT systems EU Directives EU Data Protection Directive (Directive 95/46/EC) UK Law (current legislative requirements) Computer Misuse Act Data Protection Act Copyright, Design and Patents Act Health and Safety (Display Screen Equipment) Regulations. security methods hardware policies and procedures for physical access controls (e.g. fingerprint, iris recognition, keypads, locks, machine specific access) password protection on hard discs, CDs, DVDs, flash drives security locks on machines to prevent theft policies and procedures on eating or drinking near equipment fire fighting equipment to be used near computing equipment. software and data policies and procedures (e.g. password and authentication control, software access controls, backup and retention) access levels and controls (e.g. setting of passwords, password strength, password life, usernames) encryption network policies and procedures on network security (e.g. firewalls, patch registers, anti-virus software), right to amend or update the network or its components including hardware and software policies and procedures on access rights to particular software or data on the system policies and procedures on the attachment of hardware to the network (e.g. disabling CD drives or flash drives) policies and procedures on external access to the network via mobile technology (e.g. smartphones, tablets). LO3 Be able to apply security measures security policy computer configuration conduct of employees risk management importance of information no restrictions and no threats (e.g. public information) confidential (e.g. HR records of individual staff, 4

5 IT security Level 2 Unit 18 customer details, discount policies) critical to the success of the business or its reputation, product formulae, designs for new products user management training accountability (e.g. responsibilities and limitations to authority) access to expert IT support system management access control (e.g. finger print, iris recognition, keypads) backups (e.g. locations, times, recovery) data encryption data integrity (e.g. user authorisation, authentication) software integrity (e.g. legal software, regular updating). security plan structure layout (e.g. organisation, types of staff activity, name of creator, date of creation, version number and revision date, contents page) sections (e.g. introduction, objectives, current security, security priorities, system description, management controls, operational controls, technical controls, predicted outcomes of tests) development of risk assessments to ensure that the correct level of risk is identified for the value of the assets e.g there is no point in spending many thousands of pounds on protecting home networks used only for entertainment, sending s and chatting on social networks. testing the security plan denial of service attack weak passwords used backups up to date and covering agreed data software patches installed status of anti-virus software external access appropriate. forms and documents list of physical security to be put in place list of naming conventions (e.g. group profiles, user profiles, authorisation lists) list of devices list of system responsibilities user group identification documentation user group description documentation individual user documentation. implement the security plan timetable of activities guidance for users and managers implement physical security implement software and data security implement network security complete forms and documents confirming implementation. 5

6 Delivery guidance To deliver this unit, the tutor may choose to follow the order of the teaching content but this is not essential. It is important that the focus is on ensuring that learners have the opportunity not only to acquire the necessary knowledge but also have the opportunity to practice and achieve the level and range of skills listed in the assessment criteria. Know the potential threats to the security of IT Learners need to know what threats they face; the tutor should encourage learners to consider what security they have on their own computers, mobile telephones or pen drives and discuss whether they are safe from attack or not, using this to build towards a discussion of organisations on one site and many sites. Learners should undertake desk based research looking for examples of threats, the damage caused to systems and reputations and how they have been dealt with by organisations or the legal system. Learners could be asked to work on these elements in groups and make a presentation to colleagues on what they have found or produce a range of information sheets for dissemination to the wider group. There will be overlaps but there will also be different approaches and information. A class discussion could then take place where the strengths and weaknesses of all the information can be discussed and an agreed interpretation of the range of potential threats identified. Guest speakers, possibly drawn from the school or college IT technicians, talking about their knowledge and experience of facing the results of security threats and how they dealt with them, would provide learners with the opportunity to consider security within a system with which they are familiar. Other possible options are for learners to work for short periods on placement or shadowing technicians. If learners have access to a training IT laboratory or workshop then they could work in teams to identify threats. Understand how to protect IT systems Learners could use the results of their research on and experience of, security threats already carried out, as an introduction to discussions on the legal implications of storing data and software on a computer system. Learners must understand the range of laws which are available to help combat illegal activity and also what legal obligations are placed upon the system users in terms of protecting personal information belonging to living people. Again, research activities could be introduced using group work to investigate examples of when the laws have been called on to deal with breaches, or to investigate the particular elements of the Acts. Learners should be discouraged from merely quoting the Acts. It is more useful if learners are encouraged to describe the purpose in their own words together with how these laws support IT security and the responsibilities they put on individuals and organisations. Groups of learners could produce flip charts or presentations on their interpretation which can be discussed by the wider group to come to an accurate consensus on the correct explanation. Learners must understand and be able to apply a range of security measures including security policies and risk management procedures by investigating examples from: the college or school, internet, presentations by invited speakers. These findings can be discussed in a class situation to clarify any areas of confusion and to correct any issues. Using this knowledge, learners must be able to design policies and procedures to protect and reduce risk for identified types of home or small business information system. Invited speakers who have a role in designing or implementing security measures would provide a useful source of information on the realities of developing and using security measures. Learners need to study a range of security measures and consider the cost of purchasing, maintaining and updating such measures (precise costs are not required but learners must appreciate that all security has a cost and therefore, it is important to select the appropriate security measure for the particular IT system and its components). Be able to apply security methods Learners need to know what their security plan should include in order to protect the system and employees from attack and to recognise that attack may be intentional, accidental, internal or external to the organisation. All of these issues may occur even in home or small offices but the type of work activities and information and data stored will decide on how complex the security plan needs to be. When learners have completed an outline security plan from their own research and knowledge of IT security in relation to an identified information system, they could then be provided with a copy of a security plan which may be downloaded from the internet, or a copy of the security plan. Learners in the workplace may have access to their organisation s security plan. It is helpful if they have access to at least a small sample of 6

7 IT security Level 2 Unit 18 plans so that they can compare and analyse the different approaches. Class discussions, invited speakers with a background in IT Security would be helpful and the IT staff of the school or college may be willing to take this on. Learners could work individually, or in groups, on reviewing the different approaches and then sharing their experience with the rest of the class to provide an example of real world security measures and which ones would be most relevant to home or small business. For implementation, it is necessary for the learner to have access to a system and to play the part of the tester by setting a test scenario and predicted outcomes and observing how it performs when another learner, for example, carries out the plan. It would be useful for the learners to use the learning undertaken to identify potential threats for LO1 and use these as the base for the test. This should normally be undertaken on a stand-alone computer or on a local network with the permission of the systems administrator. All learners can practice being the tester and also observe their own tests being undertaken. The opinions of observers and those taking part can then be discussed to extract good practice and areas which did not work well in designing and implementing a security plan. 7

8 Suggested assessment scenarios and task plus guidance on assessing the suggested tasks The assessment could be set as a single long assignment being built up over the period of the unit or it could be split into individual tasks. If the former case is undertaken then formative assessment on completion of key elements such as the completion of the plan, would be required. Although learners may undertake group work while developing the knowledge and skills all work submitted for assessment must be carried out individually by the learner. Assessment Criterion P1 Learners must identify a range (three or more) of potential threats to the security of IT systems. The evidence could take the form of a leaflet, report or presentation. If the evidence is a presentation, detailed speaker notes must be included or an audio/visual recording of the presentation must be provided. Assessment Criterion P2 Learners must outline relevant legislation, both national and EU, which is relevant to the protection of IT systems. They could create leaflets, a presentation or report on relevant legislation and what requirements it places upon the business. If a presentation is created, it must be accompanied by speaker notes which provide the required detail. Assessment Criteria P3, M1, D1 Learners must discuss the security methods available for protecting: hardware software data network. For merit criterion, M1 learners must explain the security methods which are most relevant to a particular system and could produce a report or presentation on the methods they have identified and the reasons why learners believes them to be the most appropriate. If a presentation is produced then learners must provide speaker notes which provide the necessary level of detail, or video evidence. For distinction criterion, D1 learners must justify, using the evidence from M1, why the security methods for the identified system are effective. The evidence may take the form of a report or presentation but the presentation would need to be accompanied by very detailed speaker s notes. Please note that P4, P5, P6, M2, M3 and D2 could be carried out by learners in one longitudinal assessment from creation of the plan to the testing and adjustments. Clearly this will depend upon the quality of the individual assessment activities and evidence. Assessment Criterion P4 Learners must create a security plan, drawing on their findings from assessment criteria P2 and P3, where appropriate. It must include the following security elements: hardware software data network. Each learner must create a plan. The plan must include the predicted outcomes of the tests and should include, or be accompanied by, additional explanation and clarification as to the choices made; this could take the form of a report or presentation with speaker notes, or video evidence. Assessment Criteria P5 and M2 Learners must implement a security plan, which may be the one created for P4 or one from another source and complete the necessary documentation as they go through the implementation process. A detailed observation report could be presented or video recording of the process could be offered as evidence of the implementation. For merit criterion M2, learners must create the necessary documentation for recording the outcome of implementing the plan. These documents must be original and not existing templates or exemplars from the internet. The documents should contain notes and guidance so that the user will have the necessary knowledge to complete them accurately. The documents may be paper-based or electronic and the guidance could be delivered as a video tutorial. Assessment Criteria P6, M3, D2 Learners must test the security plan used in P5. This must include the test plan confirming the intended and actual results of the tests carried out, as well as any associated documentation, printouts, forms used. This could be further supported by annotated screenshots or reports. 8

9 IT security Level 2 Unit 18 For merit criterion M3, learners must provide evidence of reviewing the actual test results against the predicted results and explain what the results mean, whether there are any issues identified. This could be evidenced through including an additional section within the original test plan or producing a report. For distinction criterion D2, learners must make improvements to the security plan and any associated documentation based on their review of the test results from M3. Evidence must be the revised security plan and associated documentation, which may be the original plan and documentation with annotations. Resources: Learners must have access to an information system for which they can develop and test a security plan. 9

10 10

11 IT security Level 2 Unit 18 Mapping within the qualification to the other units Unit 1 Communicating in the IT industry Unit 4 Installing computer hardware Unit 5 Installing computer software Unit 6 Setting up an IT network Unit 12 Presenting information using IT Links to NOS 6.2 IT Security Management 6.3 IT Disaster Recovery 11

12 CONTACT US Staff at the OCR Customer Contact Centre are available to take your call between 8am and 5.30pm, Monday to Friday. We re always delighted to answer questions and give advice. Telephone