9.5: Data Management
Eduqas / WJEC
Why is data management important?
Managing data is important to ensure that sensitive information is not accessed by unauthorised users.
Data loss such as hacking could lead to legal trouble, identity theft, privacy invasion, fraud and financial losses for both organisations and individuals.
User Access Levels
Access levels are used to only allow certain users to access and edit particular files.
'Read-Only' access is when a user can only view a file and is not allowed to change any data.
For example, a teacher might set homework instructions as read-only for students to view.
'Read and Write' access allows a user to read and edit the data in a file.
For example, a teacher might set an online workbook as read and write access for students to fill in.
It is important to set access levels so that only authorised users can view and change data. The more users who have access to a file, the more likely it is to be compromised. Certain users may also have no access to a file - when they can't view or edit it.
Strong passwords are required to minimise the likelihood of being broken and to prevent attackers from accessing private information.
Rules for creating a strong password include:
Aa Bb Cc Dd Ee
Passwords should be more than at least 8 characters long.
Passwords should use uppercase and lowercase letters.
Passwords should not use common words found in a dictionary.
Passwords should use numbers and punctuation marks.
You should use a different password for each account that you have.
Encryption is the process of scrambling data into an unreadable format so that attackers cannot understand it if intercepted during transmission.
The original data (known as plain text) is converted to scrambled cypher text using an encryption key. Only at the correct destination will the encryption key be used to convert the cypher text back into plain text to be understood by the receiving computer.
A very simple method of encryption is to use the XOR logical operator. XOR is used on the plain text and key together to create the cypher text. Using XOR again on the cypher text and key will reverse the encryption to reveal the plain text.
Encryption using XOR
Plain text = 00110100
Key = 10100110 XOR
Cypher text = 10010010
Decryption using XOR
Cypher text = 10010010
/ Key = 10100110 XOR
Plain text = 00110100
Data policies are written documents that clearly define how data should be managed in an organisation. It is important that all employees stick to these policies and requirements so that data is kept safe and can be replaced if lost or corrupted. The following methods are examples of common data policies.
Acceptable Use Policy (AUP)
Workplaces and schools often require people to sign an acceptable use policy (AUP) before being allowed to use the network. It is a list of rules and expected behaviour that users must follow when using the computer systems.
Typical rules include:
Which websites are off-limits (such as social media or gambling sites),
Download permissions (such as who can download and install software)
Email communication (such as appropriate language).
Punishments if rules of the AUP are broken.
The AUP is sometimes known as a Code of Conduct. This is an example of a formal code of practice, with written rules and clear expectations. An informal code of practice would not be officially written down, such as personal habits and preferences (e.g. email layout or desk organisation).
With important data often stored on a computer network, it is absolutely vital that a detailed and effective disaster recovery policy is in place in the event of data being lost due to an unexpected disaster.
Disasters include natural disasters (e.g. fire, flood, lightning), hardware failure (e.g. power supply unit failing), software failure (e.g. virus damage) and malicious damage (e.g. hacking).
There are three clear parts to a disaster recovery policy:
Before the disaster:
All of the possible risks should be analysed to spot if there are any weaknesses in preparation.
Preventative measures should be taken after the analysis, such as making rooms flood-proof or storing important data at a different location.
Staff training should take place to inform employees what should happen in the event of a disaster.
During the disaster:
The staff response is very important – employees should follow their training and ensure that data is protected and appropriate measures are put in place.
Contingency plans should be implemented while the disaster is taking place, such as uploading recent data to cloud storage or securing backups in a safe room and using alternative equipment until the disaster is over.
After the disaster:
Recovery measures should be followed, such as using backups to repopulate computer systems.
Replacement hardware needs to be purchased for equipment that is corrupted or destroyed.
Software needs to be reinstalled on the new hardware.
Disaster recovery policies should also be updated and improved.
System backup copies data onto a separate storage device in case the original information is lost or corrupted.
Backups should be saved regularly and stored in a different location to the rest of the data. Magnetic tape is a common backup medium.
A typical backup policy is one known as 'grandfather - father - son' which uses three different backups at a time.
Grandfather backup (e.g. every month)
Father backup (e.g. every week)
Son backup (e.g. every day)
When data is no longer needed regularly, but is still important, it is archived.
This means it is stored in a secure location to be retrieved if needed. Data can be archived on external hard disk drives or magnetic tape and stored in a secure room or archived on cloud storage.
Data may be archived for:
Historical reasons (such as ex-students data in a school).
Security (such as CCTV tapes for previous months).
Legal reasons (such as laws requiring police data to be kept for a certain amount of time).
Data is archived so that space is freed up on the computer system or network - there is little use in storing a large amount of data that is infrequently accessed and slows down access speed for other files.
An archival policy will set out what data should be archived and how long it needs to be kept for.
A cookie is a small piece of data that is stored by websites when you visit them. They allow the website to identify the user and are often used to speed up processes, such as:
Automatic login (by saving account details)
Save items into a basket (such as pizza delivery sites)
Display adverts related to your previous search terms.
Although they can be used to save time, some argue that cookies can be intrusive and store too much information.
9.5 - Data Management:
1. Why is data management important? 
2a. Why are user access levels important? 
2b. Explain the two main types of access level and give an example. 
3. State 5 tips for choosing a strong password. 
4a. Describe what encryption is. Use keywords such as plain text, encryption key and cypher text. 
4b. Using an example, explain how XOR can be used to encrypt data. 
5a. What is the purpose of an acceptable use policy (AUP)? 
5b. State 4 things that may be included in an AUP. 
5c. Describe the difference between formal and informal codes of practice, using examples. 
6a. State 3 different events / scenarios that count as a disaster. 
6b. Describe the steps an organisation should take during each stage of a disaster recovery plan:
iii. After [3 each]
7a. What is a backup and why should they be regularly made? 
7b. State and briefly describe a common backup policy. 
8a. What is archiving? 
8b. What types of data are archived? 
8c. Why is archiving performed? 
9. Describe what a cookie is and give 3 ways in which they can be used.