K1.23 The purpose and application of legislation, industry standards and regulatory compliance, and
industry best practice guidelines for the security of information systems within digital
infrastructure.
Legislation:
• UK General Data Protection Regulation (UK GDPR):
o purpose – standardises the way data is used, stored and transferred to protect privacy
o applications within digital infrastructure:
▪ article 1 – subject matter and objectives
▪ article 2 – material scope
▪ article 3 – territorial scope
▪ article 4 – definitions
▪ article 5 – principles relating to processing of personal data
▪ article 6 – lawfulness of processing
▪ article 7 – conditions for consent
• Data Protection Act (DPA) 2018:
o purpose – implementation of UK GDPR to protect data and privacy
o applications within digital infrastructure:
▪ used fairly, lawfully and transparently
▪ used for specified, explicit purposes
▪ used in a way that is adequate, relevant and limited to only what is necessary
▪ accurate and, where necessary, kept up to date
▪ kept for no longer than is necessary
▪ handled in a way that ensures appropriate security, including protection against unlawful or
unauthorised processing, access, loss, destruction or damage
• Computer Misuse Act 1990:
o purpose – protects an individual’s computer rights
o applications within digital infrastructure:
▪ unauthorised access to computer materials (point 1 to 3)
▪ unauthorised access with intent to commit or facilitate commission of further offences (point 1
to 5)
▪ unauthorised acts with intent to impair, or with recklessness as to impairing, operation of
computer (point 1 to 6)
Industry standards and regulatory compliance:
• ISO 27001:
o purpose – certifiable standard for information security management
o applications within digital infrastructure:
▪ UK GDPR/DPA 2018
▪ information security
▪ information management
▪ penetration testing
▪ risk assessments
• Payment Card Industry Data Security Standard (PCI DSS):
o purpose – worldwide standard for protecting business card payments to reduce fraud
o applications within digital infrastructure:
▪ build and maintain a secure network
▪ protect cardholder data
▪ maintain a vulnerability management program
▪ implement strong access control measures
▪ regularly monitor and test networks
▪ maintain an information security policy
Industry best practice guidelines:
• National Cyber Security Centre (NCSC) ‘10 Steps to Cyber Security’:
o purpose – inform organisations about key areas of security focus
o applications within digital infrastructure:
▪ user education and awareness
▪ home and mobile working
▪ secure configuration
▪ removable media controls
▪ managing user privileges
▪ incident management
▪ monitoring
▪ malware protection
▪ network security
▪ risk management regime
• Open Web Application Security Project (OWASP):
o purpose:
▪ implement and review the usage of cyber security tools and resources
▪ implement education and training into the general public and for industry experts
▪ used as a networking platform
o applications within digital infrastructure:
▪ support users with online security
▪ improve security of software solutions
Links to Learning Outcomes |
Links to Assessment criteria |
|
|---|---|---|