week 23
K1.23 The purpose and application of legislation, industry standards and regulatory compliance, and industry best practice guidelines for the security of information systems within digital infrastructure.
Organisations need to follow legal rules, meet industry standards, and apply best practice guidelines to:
-
Keep information systems secure
-
Protect personal data and business assets
-
Stay compliant and avoid legal/financial penalties
-
Build trust with customers, users and partners
Legislation – The Legal Framework
UK General Data Protection Regulation (UK GDPR)
Purpose:
Sets legal rules on how personal data is collected, stored, used and shared. It protects people's right to privacy.
Applications in Digital Infrastructure:
| Article | Purpose |
|---|---|
| Article 1 | States the objectives of protecting individuals’ personal data |
| Article 2 | Explains what data and actions are covered (e.g. storage, transfer, access) |
| Article 3 | Applies to UK-based organisations and others handling UK citizens' data |
| Article 4 | Defines terms like "data subject", "processing", "consent" |
| Article 5 | Sets principles: fairness, transparency, purpose limitation, accuracy, etc. |
| Article 6 | Lists legal reasons for processing data (e.g. consent, legal obligation) |
| Article 7 | Conditions under which consent is valid (clear, active, documented) |
Example: A company encrypts customer data and only keeps it for as long as needed — fulfilling Article 5.
Data Protection Act (DPA) 2018
Purpose:
The UK’s legal implementation of UK GDPR — makes data protection rules enforceable by law.
Key Applications:
| Requirement | Risk Mitigated |
|---|---|
| Fair, lawful and transparent data usage | Prevents misuse of user data |
| Specific and explicit purpose | Stops data being reused inappropriately |
| Adequate and limited data | Minimises unnecessary data collection |
| Accurate and up to date | Avoids errors and outdated information |
| Not kept longer than needed | Reduces exposure to breaches |
| Protected against loss, access, damage | Prevents leaks or hacking incidents |
Computer Misuse Act 1990
Purpose:
Protects against unauthorised access and cybercrime.
Applications:
| Offence Area | Example in Digital Infrastructure |
|---|---|
| Unauthorised access to systems or data | Hacking into a server or admin account |
| Access with intent to commit another crime | Logging into a payroll system to steal data |
| Acts to impair or damage systems | Installing ransomware or launching denial-of-service attack |
Violating this Act can lead to prosecution and imprisonment.
Industry Standards & Regulatory Compliance
ISO 27001 – Information Security Management
Purpose:
A global certification standard for managing information security in a business.
Applications:
-
Helps organisations comply with UK GDPR/DPA
-
Requires security policies, risk assessments, access control, and incident response plans
-
Encourages regular penetration testing and auditing
Used by banks, healthcare, cloud services to prove they're protecting data properly.
PCI DSS – Payment Card Industry Data Security Standard
Purpose:
A worldwide standard to protect cardholder data and reduce payment fraud.
Applications:
| Requirement | Example in Practice |
|---|---|
| Secure network setup | Firewalls between card systems and public networks |
| Data protection | Encrypt card numbers, never store CVV codes |
| Vulnerability management | Keep systems patched, use antivirus |
| Access control | Only allow authorised staff to view cardholder data |
| Monitoring and testing | Regular scans and logging of system activity |
| Security policy | Documented processes for incident response and training |
Essential for any business that processes debit or credit cards.
Industry Best Practice Guidelines
NCSC – 10 Steps to Cyber Security
Purpose:
Developed by the UK’s National Cyber Security Centre to guide organisations on improving digital security.
Applications in Digital Infrastructure:
| Area | Description |
|---|---|
| User education | Train users to spot phishing and use strong passwords |
| Mobile/home working | Secure VPNs and authentication for remote access |
| Secure configuration | Disable unused services and ports |
| Removable media controls | Block or scan USBs |
| Managing user privileges | Apply the principle of least privilege |
| Incident management | Have a plan for dealing with security breaches |
| Monitoring | Use alerts, logs and audits to detect suspicious activity |
| Malware protection | Use antivirus and malware scanning |
| Network security | Firewalls, segmentation and secure Wi-Fi |
| Risk management regime | Regular assessments and updates of risk strategy |
Helps businesses of any size build a layered cyber defence.
OWASP – Open Web Application Security Project
Purpose:
A global community improving the security of web applications through tools, resources and training.
Applications:
-
Provides tools like ZAP for testing security
-
Maintains the Top 10 Web Application Threats list (e.g. SQL injection, XSS)
-
Offers training resources for developers and IT professionals
-
Encourages secure coding practices from the start
Used by developers and security analysts to build safer web systems.
Law & Standards in Action
Task:
1. Match each real-world scenario to the relevant law or standard:
- Encrypting a customer database
- Detecting a malware attack and alerting users
- Restricting access to online payment processing software
- Reporting a phishing attack on a school network
2. For each, explain:
- Which law/standard/guideline applies
- How it mitigates risk
- What would happen if it was ignored
Extension: Research one more industry standard used in healthcare, education, or finance and explain its role.
Working in groups, each group assigned one of the topics above and to create a leaflet providing guidance for a new digital business.
Last Updated
2025-07-14 14:05:16
English and Maths
English
Maths
Stretch and Challenge
Stretch and Challenge
- Fast to implement
- Accessible by default
- No dependencies
Homework
Homework
Equality and Diversity Calendar
How to's
How 2's Coverage
Links to Learning Outcomes |
Links to Assessment criteria |
|
|---|---|---|
Files that support this week
Week 22←
PrevWeek 23←
PrevWeek 24←
Prev→
Next