Cambridge A-Level Computer Science 9618 – 6.1 Data Security
6.1 Data Security
Data security is the practice of protecting information from unauthorised access, modification, loss or destruction. Effective security reduces the risk posed by a wide range of threats, from accidental errors to deliberate attacks.
1. The Risk Management Process
Identify assets (data, hardware, software, services).
Identify threats and vulnerabilities.
Assess the likelihood and impact of each risk.
Choose and implement appropriate controls.
Monitor and review the effectiveness of controls.
2. Categories of Controls
Controls are grouped into three main categories:
Physical controls – protect the physical environment.
Technical (logical) controls – use technology to enforce security.
Administrative controls – policies, procedures and training.
3. Physical Controls
Physical controls limit access to the hardware and facilities that store or process data.
Secure premises – locked doors, security guards, CCTV.
Environmental protection – fire suppression, temperature and humidity control.
Hardware protection – cable locks, locked server racks, tamper‑evident seals.
Disposal – shredding of paper, degaussing or physical destruction of storage media.
4. Technical Controls
Technical controls use software and hardware mechanisms to protect data.
Control Type
Purpose
Typical Implementation
Encryption
Confidentiality of data at rest and in transit
AES‑256 for files, TLS 1.3 for network traffic
Access Control
Restrict who can view or modify resources
Role‑Based Access Control (RBAC), ACLs, MFA
Firewalls & IDS/IPS
Prevent unauthorised network access and detect intrusions
Packet‑filtering firewalls, stateful inspection, Snort IDS
Anti‑malware Software
Detect and remove malicious code
Signature‑based scanners, heuristic analysis, real‑time monitoring
Backup & Recovery
Ensure data can be restored after loss or corruption
3‑2‑1 strategy: 3 copies, 2 media types, 1 off‑site
Patch Management
Close known vulnerabilities
Automated update tools, scheduled patch cycles
5. Administrative Controls
Administrative controls define the rules and procedures that govern security behaviour.
Security policies – define acceptable use, data classification, incident response.
Procedures – step‑by‑step instructions for tasks such as user provisioning, backup, and disposal.
Training and awareness – regular sessions on phishing, password hygiene, and reporting incidents.
Auditing and logging – maintain logs of system activity and review them for anomalies.
Legal and regulatory compliance – adhere to GDPR, Data Protection Act, etc.
6. Risk‑Reduction Techniques
The following techniques combine the three categories of controls to mitigate specific threats.
Least Privilege – Users receive only the access necessary for their role; reduces impact of compromised accounts.
Defense in Depth – Layered security (physical → network → host → application) ensures that if one layer fails, others remain.
Segmentation & Zoning – Separate networks (e.g., DMZ, internal LAN) to limit lateral movement of attackers.
Secure Development Lifecycle (SDLC) – Integrate security testing (code review, static analysis) into each development phase.
Incident Response Plan – Pre‑defined steps for detection, containment, eradication, recovery, and post‑mortem.
7. Example Risk Assessment Matrix
The matrix helps prioritise controls based on likelihood and impact.
Likelihood \ Impact
Low (\$\leq 10\%\$ )
Medium (\$10\%\$ –\$30\%\$ )
High (\$>30\%\$ )
Rare
Low
Low
Medium
Possible
Low
Medium
High
Likely
Medium
High
Critical
8. Summary of Key Methods to Restrict Risks
Implement strong encryption for data at rest and in transit.
Enforce robust access controls, including multi‑factor authentication.
Maintain up‑to‑date anti‑malware and patch management processes.
Secure physical premises and protect hardware from environmental hazards.
Develop and regularly test an incident response plan.
Provide ongoing security awareness training for all staff.
Adopt a layered (defence‑in‑depth) approach to combine physical, technical, and administrative controls.
Suggested diagram: Layered security model showing physical, network, host, and application layers with example controls at each level.