Security Systems and Key Legislation for Protecting Information Assets

Learning Outcomes Assessed

1. Critically evaluate the role of a security policy for protecting information assets and be able to propose appropriate security policies to defend those assets based on an understanding of security concepts and their application to internet-based technologies.

2. Demonstrate a sound understanding of the key legislation that relates to information security and how it influences the security policy of an organisation.

The system proposed by the company is targeted at consumers who wish to-

-A phone app that can be used to scan barcodes of processed food items (snacks, etc.) to record their calorific and nutritional content to be recorded against the users’ health record. The app will also be an interface to the data.

-A kitchen scale that sends data to the phone app for accurate recording of ingredients in home-cooked food. For example, when making pasta, items can be weighed and recorded in the app without having to read the weights and then enter them on the phone

-A bathroom scale that reports user weight and uses light and sound to remind the user to take regular measurements. For example, if no weight has been recorded for the current day, the scales will sound an alert when the light increases in the room, with the assumption that increased light indicates occupancy.

-A server in the UK that stores all information and generates reports per user.

The system definition is currently broad and so your report should not assume any more than is currently stated. Many aspects of your work will be used to inform design decisions, so where there are multiple options with different legal implications, you should compare the most appropriate ones and make recommendations but ultimately the company should be informed of the options and implications rather than be given a single option. The report will be read by the executive layer of the company and so should have clear high-level outcomes reported early.

It will also be passed to the R&D department if the executives decide to pursue the project, so include links to any technological information that might be useful (on encryption schemes, protocols, frameworks, etc.) but refrain from explaining the technological detail in the report itself. The system will be for sale to UK residents only at first, but the company is interested in expanding into the US market. You should focus on law that applies to the UK, but also include a short section on aspects that might need to be reconsidered for the US market.