www.ict-teacher.com. objectives legislation: understand that implementation of legislation will...
DESCRIPTION
Objectives Audit requirements: Understand that many information systems are subject to audit. Understand the impact of audit on data and information control. Describe the need for audit and the role of audit management/software tools in information systems. Understand the function of audit trails and describe applications of use, e.g. ordering systems; student tracking; police vehicle enquiries.TRANSCRIPT
www.ICT-Teacher.com
Objectives Legislation: Understand that implementation of legislation will
impact on procedures within an organisation. Describe the methods of enforcing and controlling
data protection legislation within an organisation. Describe the methods of enforcing and controlling
software misuse legislation within an organisation. Describe the methods of enforcing and controlling
health and safety legislation within an organisation.
Discuss the implications of the various types of legislation.
Objectives Audit requirements: Understand that many information systems are
subject to audit. Understand the impact of audit on data and
information control. Describe the need for audit and the role of audit
management/software tools in information systems.
Understand the function of audit trails and describe applications of use, e.g. ordering systems; student tracking; police vehicle enquiries.
Regulations1. Data Protection Act 1984 & 1998.2. Computer Misuse Act 1990.3. Copyright Designs & Patents Act 1988.4. Health and Safety Regulations 1992.
Data Protection Act 1998 Consists of eight data protection principals. Applies to organisations that hold personal
data. Personal data must be kept secure, should be
accurate, and must not be misused. Employees with access need to understand
the implications of the Act. A security manager or administrator put in
control of access to the data. Operating procedures to ensure privacy.
Data Protection Policy Customer service:
Company policy available to interested parties;Data subject told what data is kept and why;Data to be accurate, and errors corrected;Data only used for the purpose it was collected;Data only sold on if the subject has consented;Data only collected with consent in general;Data subject allowed access and their concerns
listened to.
Data Protection Policy Organisation:
Company policy publicised for all staff concerned;Staff to be held accountable over privacy issues and
could be liable under the Act if they leak data;Issues of privacy to be part of the information system,
including security, accuracy and up-dating;A security policy adopted with an administrator;The security policy to deal with accidental as well as
malicious damage and theft;Staff to be aware of policy on passwords, physical
security, back-up of files, with regular checks performed on security by the administrator.
Buying and Selling Personal Data A company may be in business just to
collect private data to sell to other companies.
The data subject has to have given permission for it to be traded.
This may have been granted unknowingly by a tick box not being ticked etc.
Enforcing Data Protection Data protection controller in the
organisation to advise staff and enforce rules.
Employees aware of their responsibilities.
Follow up any incidents to ensure no breaches have taken place.
Hardware kept in secure areas. Staff must not keep a personal copy of
the database.
Enforcing Data Protection Staff to be trained properly in the use of personal
data in a database, and aware of the obligations of the organisation under the Act.
Passwords must be hard to break, and changed regularly.
Staff must not bring in personal software. A log of all access should be kept as a record of
individual access. Levels of access should be differentiated for
different job users.
Software Misuse Act 1990 Employees need to be aware of: Have a clear job description of what they are
allowed to do, and not allowed to do. Not to introduce unauthorised software. No unauthorised work done on the system. Data disks have to be scanned for viruses if used
outside the system. Separation of duties whereby no one person is
responsible for everything, different parts have different managers.
Controllers to do regular audit checks of who has used the database and what have they accessed.
Software Copyright It is illegal to copy software or run software that is
not licensed for the purpose. The company information systems administrator is
responsible for the licence. He must run an audit of what and how many of each
software is used and delete any that is used over the licence agreement.
Ensure there is enough licences for the company work to be done.
Educate the staff of the consequences to them and the company.
Ensure that staff are aware of the legalities and sign a written agreement.
Health and Safety Each organisation should have a Health and
safety officer to check and report to management the state of the environment, the furniture and the equipment that is used by staff.
Good staff training and proper use of computers in the working environment, including the correct posture, breaks to stop eye strain and RSI, etc.
Eye tests should be offered regularly and glasses supplied if needed.
Faulty equipment should be changed promptly. Regular evaluation of work space should be
done to protect the workforce and minimise claims made against the organisation.
Audit Requirements A systematic assessment of the entire
computer system including the hardware and software.
There is special software that does an audit trail e.g.:
A trail can track the progress of an item ordered by ‘phone until its despatch.
The payment can be checked against the order in case of any queries, and for stocktaking purposes.
Fraud An audit check will uncover fraud. It will check any irregularities in orders
and payments and report back to the administrator.
Staff are to be made aware of these procedures to deter the possibility of fraud.
Staff logging in bogus customers etc will be detected during an audit check and a customer tracking system.