Know and understand characteristics and methods of protecting data including biometrics, digital certificate, secure socket layer (SSL), encryption, firewall, two-factor authentication, user id and password

Safety and Security – ICT 0417

Learning objective

Know and understand the characteristics and methods of protecting data, including:

Biometrics

Digital certificates

Secure Socket Layer / Transport Layer Security (SSL/TLS)

Encryption

Firewalls

Two‑factor authentication (2FA)

User ID and password

and be able to relate these methods to the CIA triad, relevant legislation and everyday eSafety practice.

1. Why data protection is required

Legal & ethical drivers – Data Protection Act (UK) and GDPR principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity & confidentiality, accountability).

Personal & sensitive data – full name, date of birth, NI number, medical history, bank details, biometric templates. Misuse can lead to identity theft, fraud, discrimination, or reputational damage.

Physical safety of hardware – electrocution, fire, tripping hazards, heavy equipment, overheating of servers and storage devices.

Physical safety – main hazards and mitigation checks

Hazard	Potential impact	Practical mitigation
Exposed cables / overloaded sockets	Electric shock, fire, equipment damage	Use mains‑rated power strips with surge protection; keep cables tidy and away from walkways.
Overheating of laptops, servers or UPS units	Hardware failure, data loss, fire	Ensure adequate ventilation, clean dust filters regularly, monitor temperature, use a UPS with temperature alarm.
Heavy or unstable equipment (e.g., tower PCs, server racks)	Physical injury, equipment topple	Secure racks to walls or floor, use anti‑tip brackets, lift with two people or mechanical aids.
Water damage (spills, flooding)	Short‑circuit, data loss	Place devices away from liquids, use waterproof floor mats, have a spill‑response plan.
Fire	Destruction of hardware and data	Install smoke detectors, fire‑suppression systems (e.g., FM‑200), keep fire extinguishers nearby, conduct regular fire drills.

2. Core concepts

Authentication – confirming who a user *is* (e.g., password, fingerprint).

Authorisation – defining what an authenticated user *may* do (e.g., file permissions, role‑based access).

CIA triad – Confidentiality, Integrity, Availability. All protection methods aim to support one or more of these pillars.

3. Threats to data (overview)

Threat	Typical impact	Mitigation methods
Hacking / unauthorised access	Loss of confidentiality, data alteration	Firewalls, strong passwords, 2FA, encryption, digital certificates
Phishing & social engineering	Credential theft, malware infection	User education, 2FA, email filters, safe‑browsing habits
Malware (viruses, ransomware)	Data loss, loss of availability	Antivirus/anti‑malware, regular backups, firewalls, application whitelisting
Card/identity fraud	Financial loss, identity theft	Encryption of transactions, SSL/TLS, digital certificates, tokenisation
Insider threat	Unauthorised data disclosure or alteration	Authorisation controls, audit logs, least‑privilege policies, separation of duties
Physical damage (fire, water, power failure)	Loss of hardware and data	UPS, fire‑suppression, proper cabling, regular backups, off‑site storage

4. Methods of protecting data

Method	How it works	Advantages	Limitations	Real‑world example	CIA contribution
Biometrics	Uses unique physiological or behavioural traits (fingerprint, iris, voice, facial pattern) to verify identity.	Hard to duplicate; convenient; provides non‑repudiation.	Requires specialised hardware; may fail due to injury or ageing; privacy concerns.	Smartphone fingerprint unlock; airport e‑gate facial recognition.	Confidentiality, Integrity
Digital certificate	Electronic document that binds a public key to an entity’s identity, signed by a trusted Certificate Authority (CA).	Enables trusted online transactions; essential for SSL/TLS.	Depends on CA trustworthiness; certificates expire and must be renewed.	Bank’s HTTPS site showing a padlock and “Issued by DigiCert”.	Confidentiality, Integrity
SSL / TLS	Protocol that encrypts data between client and server. Uses asymmetric encryption to exchange a symmetric session key, then encrypts all traffic with that key.	Provides confidentiality and integrity for web traffic; visible as “https://”.	Older versions (SSL 2.0/3.0) are insecure; requires valid certificates.	Online shopping checkout page using TLS 1.3.	Confidentiality, Integrity
Encryption	Transforms readable plaintext into unreadable ciphertext using an algorithm and a secret key (symmetric) or a key pair (asymmetric).	Protects data at rest (e.g., encrypted drives) and in transit (e.g., VPN). Strong algorithms are mathematically robust.	Key management is critical; weak keys/algorithms can be broken.	BitLocker full‑disk encryption on Windows laptops.	Confidentiality, Integrity
Firewall	Hardware or software that monitors and controls network traffic according to a set of security rules (packet filtering, stateful inspection, proxy).	Blocks unauthorised inbound/outbound traffic; can segment networks into zones.	Mis‑configured rules may create gaps; does not stop insider attacks.	Corporate perimeter firewall blocking port 23 (Telnet) but allowing port 443 (HTTPS).	Confidentiality, Availability
Two‑factor authentication (2FA)	Requires two independent credentials: something you know (password), something you have (token, mobile app), or something you are (biometric).	Greatly reduces risk of unauthorised access even if one factor is compromised.	Can be inconvenient; tokens or phones can be lost or stolen.	Bank sends a one‑time code to a smartphone app after password entry.	Confidentiality, Integrity
User ID & password	Traditional knowledge‑based authentication; the user supplies a unique identifier and a secret string.	Simple to implement; familiar to most users.	Weak passwords are vulnerable to guessing, phishing, brute‑force attacks; passwords may be stored insecurely.	Corporate email login requiring a username and a complex password.	Confidentiality

5. Mapping methods to the CIA triad

Confidentiality – Encryption, SSL/TLS, firewalls, strong passwords, 2FA, biometric verification, digital certificates.

Integrity – Digital certificates, SSL/TLS (MACs), audit logs, checksums, 2FA (prevents credential tampering).

Availability – Firewalls with DoS protection, regular backups, UPS and fire‑suppression, redundant network paths, load‑balancing.

6. eSafety (Internet, email, social media, online gaming)

Safe browsing – Look for “https://” and a padlock; avoid clicking unknown links.

Phishing awareness – Check sender address, hover over links, never provide credentials via email.

Social‑media privacy – Set profiles to “friends only”, avoid sharing personal identifiers (DOB, address, phone).

Online gaming etiquette – Use in‑game chat responsibly, do not share personal details, enable parental controls for younger users.

Public Wi‑Fi – Use a VPN or avoid transmitting sensitive data on unsecured networks.

Parental controls & content filters – Configure routers or device‑level controls to block inappropriate sites.

Exam tip

When answering a question on eSafety, note the command word:

Describe – give a brief account of each eSafety area (browsing, email, social media, gaming, public Wi‑Fi).

Explain – discuss why each practice protects users (e.g., “HTTPS encrypts data, preventing eavesdropping”).

Evaluate – weigh the advantages and disadvantages of a particular eSafety measure (e.g., VPNs vs. trusted networks).

7. Password management – best‑practice checklist

Minimum length: 12 characters (more for high‑risk accounts).

Mix of upper‑case, lower‑case, numbers and symbols.

Avoid dictionary words, personal information, repeated characters.

Change passwords regularly (e.g., every 90 days) and after a suspected breach.

Never reuse passwords across unrelated services.

Store passwords securely – use a reputable password manager (encrypted locally or cloud‑based with zero‑knowledge architecture).

Enable 2FA wherever possible.

8. Backup & recovery

Regular backups – at least weekly full backup plus daily incremental backups.

3‑2‑1 rule – keep three copies of data, on two different media, with one copy off‑site (e.g., cloud storage).

Testing – periodically restore a sample file to verify backup integrity.

Encryption of backups – protect backup media from unauthorised access.

Disaster‑recovery plan – define Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for critical services.

9. Practical example – secure online banking (good practice)

User enters user ID and password (knowledge factor).

Bank prompts for a one‑time code sent to the user’s mobile device (possession factor – 2FA).

Browser establishes an SSL/TLS session; the server presents a valid digital certificate issued by a trusted CA.

All data exchanged (account numbers, transaction details) is encrypted using the session key.

Bank’s internal network is protected by a firewall that blocks unauthorised inbound traffic.

Optional: the banking app may request a fingerprint scan (biometric factor) to authorise high‑value transfers.

10. Practical example – unsafe practice (what to avoid)

Logging into online banking over public Wi‑Fi without a VPN.

Using the same simple password for banking and social media.

Ignoring browser warnings about an expired or self‑signed certificate.

Disabling the firewall to “speed up” the connection.

Storing passwords in plain‑text documents on the desktop.

11. Glossary of key terms

Term	Definition (Cambridge wording)
Biometrics	Authentication based on a person’s unique physiological or behavioural characteristics.
Digital certificate	Electronic document that binds a public key to an individual or organisation, signed by a trusted Certificate Authority.
SSL / TLS	Protocols that provide encrypted communication over a network; TLS is the successor to SSL.
Encryption	Process of converting plaintext into ciphertext using an algorithm and a secret key.
Firewall	System (hardware or software) that controls network traffic according to a set of security rules.
Two‑factor authentication (2FA)	Security method requiring two different forms of verification (something you know, have, or are).
User ID	Unique identifier assigned to a user for login purposes.
Password	Secret string known only to the user, used to prove identity.
Confidentiality	Ensuring that data is accessible only to authorised persons.
Integrity	Ensuring that data is accurate, complete and has not been unauthorisedly altered.
Availability	Ensuring that data and services are accessible when required.
Certificate Authority (CA)	Trusted third‑party that validates identities and issues digital certificates.
eSafety	Practices that protect users from online risks such as phishing, cyber‑bullying, identity theft and unsafe content.

12. Revision questions

Define authentication and authorisation and explain how they differ.

List three advantages and two limitations of biometric security.

What is the role of a Certificate Authority in the SSL/TLS process?

Why is two‑factor authentication more secure than using a password alone?

Describe how a firewall protects a network and give an example of a rule it might enforce.

State three elements that must be included in a strong password.

Explain the 3‑2‑1 backup rule and why it is important.

Identify two eSafety risks when using public Wi‑Fi and how to mitigate them.

Give one physical‑safety check you would carry out before installing a new server.

Match each of the following protection methods to the CIA component(s) it primarily supports: (a) SSL/TLS, (b) backup, (c) biometric login, (d) firewall.

Answers (for teacher use)

Authentication verifies *who* a user is; authorisation determines *what* the verified user is allowed to do.

Advantages: difficult to forge, convenient for users, provides non‑repudiation. Limitations: expensive hardware, may fail due to injury or ageing, raise privacy concerns.

The CA validates the identity of the certificate holder and digitally signs the certificate, creating trust in the public key used for SSL/TLS.

2FA combines two independent factors (knowledge + possession or biometrics), so compromising one factor does not give full access.

A firewall filters traffic based on rules; e.g., block inbound traffic on port 23 (Telnet) while allowing port 443 (HTTPS).

Minimum 12 characters, mix of upper‑case/lower‑case letters, numbers and symbols; avoid personal information; use a password manager.

Three copies of data, on two different media types, with one copy stored off‑site. This protects against media failure, theft and site‑wide disasters.

Risks: data can be intercepted (sniffed) and credentials stolen; malicious hotspots may inject malware. Mitigate by using a VPN and ensuring the site uses HTTPS.

Check that the server rack is securely anchored to the floor/wall and that there is adequate ventilation to prevent overheating.

(a) SSL/TLS – Confidentiality & Integrity; (b) Backup – Availability; (c) Biometric login – Confidentiality & Integrity; (d) Firewall – Confidentiality & Availability.

Support e-Consult Kenya

Your generous donation helps us continue providing free Cambridge IGCSE & A-Level resources, past papers, syllabus notes, revision questions, and high-quality online tutoring to students across Kenya.