6.1 Data Security
1 Key Concepts
Security (CIA triad) – the set of controls that ensure:
Confidentiality : data are only accessible to authorised users.
Integrity : data are accurate, complete and have not been altered without permission.
Availability : data and services are accessible when required.
Privacy – the right of individuals to decide who may view or use their personal information. In practice it is achieved by applying confidentiality controls.
Integrity (as a separate term) – the assurance that data remain correct and un‑tampered; it underpins the “I” in CIA.
2 Why Security Is Needed
Data are created, stored, processed and transmitted by hardware, operating systems and networks. If any part of the system is compromised, the data it contains become vulnerable. Consequently, protecting the hardware, the OS and the network is a prerequisite for protecting the data itself.
3 Common Threats
Malware – viruses, worms, trojans, ransomware, spyware.
Unauthorised access – hacking, insider threats, weak or stolen passwords.
Physical loss or damage – theft, accidental damage, fire, flood.
Data loss – accidental deletion, hardware failure, software bugs.
Interception of communications – eavesdropping, man‑in‑the‑middle (MITM) attacks.
4 Security Measures for a Stand‑Alone PC
Physical security
Keep the computer in a locked room or cabinet; use cable locks or lockable enclosures.
Secure removable media (USB sticks, external drives) when not in use.
Operating‑system hardening
Apply regular patches and updates (patch management).
Disable unnecessary services, ports and default accounts.
Create separate user accounts and enforce the principle of least privilege (standard user vs. administrator).
Antivirus / Antimalware
Real‑time scanning of files, email attachments and web traffic.
Scheduled full system scans and automatic definition updates.
Encryption
Full‑disk encryption (e.g., BitLocker for Windows, FileVault for macOS).
Use strong symmetric algorithms such as AES‑256.
Mathematical illustration: \(E{k}(m)=c,\; D {k}(c)=m\) where \(k\) is the secret key.
Backup and recovery
Automated regular backups to external media or a cloud service.
Verify backup integrity and perform periodic restoration tests.
5 Security Measures for Networked Systems
Network perimeter defence
Firewalls – packet‑filtering (stateless) and stateful inspection.
DMZ (Demilitarised Zone) – isolates public‑facing services (web, mail) from the internal network.
Intrusion detection & prevention
Signature‑based IDS/IPS for known attack patterns.
Anomaly‑based monitoring to flag unusual traffic.
Secure communication
TLS/SSL (HTTPS, FTPS, SMTPS) encrypts data in transit.
VPN tunnels (IPsec, SSL‑VPN) provide secure remote access.
Asymmetric encryption example (RSA):\[
\begin{aligned}
&\text{Public key } (e,n),\; \text{Private key } (d,n)\\
&c \equiv m^{e}\pmod{n},\; m \equiv c^{d}\pmod{n}
\end{aligned}
\]
Access control
Authentication – passwords, biometrics, smart cards, two‑factor authentication (2FA).
Authorisation models – discretionary (DAC), mandatory (MAC) and role‑based (RBAC).
Network segmentation
VLANs to isolate sensitive traffic.
Sub‑nets and ACLs on routers/switches to restrict flow.
Patch management (network‑wide)
Centralised distribution of OS and application updates (e.g., WSUS, SCCM).
Automated vulnerability scanning and remediation.
Data redundancy & disaster recovery
RAID levels (0, 1, 5, 6) for hardware fault tolerance.
Off‑site backups, replication to a secondary data centre, and regular recovery drills.
Monitoring & logging
Security Information and Event Management (SIEM) for real‑time alerts.
Centralised log collection from servers, firewalls, IDS/IPS and endpoints.
6 Comparative Overview
Security aspect
Stand‑alone PC
Networked environment
Physical protection
Lock & cable‑lock; secure enclosure
Locked server rooms, CCTV, badge‑controlled access
Access control
Local user accounts, strong passwords, least‑privilege
Centralised authentication (LDAP, RADIUS), MFA, RBAC
Encryption
Full‑disk (AES‑256)
TLS/SSL for traffic, VPN tunnels, encrypted storage arrays
Malware defence
Antivirus, real‑time scanning
Network‑wide endpoint protection, sandboxing, IDS/IPS
Backup strategy
External drive or cloud backup; manual verification
Automated network backup servers, off‑site replication, RAID
Monitoring
Local system logs reviewed periodically
SIEM, IDS/IPS alerts, real‑time dashboards
Patch management
Manual OS/application updates
Centralised patch distribution, automated vulnerability scans
7 Policies, Procedures & User Awareness
Security policy – written document covering acceptable use, password standards, data classification, and incident‑response.
Regular training – phishing simulations, safe handling of removable media, social‑engineering awareness, and secure coding basics.
Incident‑response process – clear reporting channel, immediate containment steps, forensic analysis, and post‑mortem review to improve controls.
8 Summary – Defence‑in‑Depth
Effective data security follows a layered approach:
Physical safeguards (locks, CCTV, secure enclosures)
System hardening (patches, least‑privilege accounts)
Network controls (firewalls, IDS/IPS, segmentation)
Encryption (disk, traffic, storage)
Regular updates & patch management
Backup, redundancy and disaster‑recovery planning
Monitoring, logging and real‑time alerting
Policies, procedures and user awareness
Whether the environment consists of a single PC or a large corporate network, the same CIA principles apply; the controls simply scale to match the system’s complexity.
Suggested diagram: layered security model showing Physical → Network → Host → Application → Data layers, with example controls (locks, firewalls, OS hardening, authentication, encryption) at each level.