ERD

Attributes

 Properties of entities: Attributes of an entity type "person" are e.g. name, address, age
 A "particular" entity has "values" for each of its attributes
Types of attributes
 Simple (atomic) attribute (e.g. firstname, streetname)
 Composite attribute, e.g. address (may be divided in name,street, city...)
 Single-valued attributes (e.g. age)
 Multivalued attributes (e.g. color of a car - more than one coloror college degree - no, one,
many; functions of employees in a company)
 Stored attribute (e.g. date of birth)
 Derived attribute (e.g. age, which is computed from current date and date of birth)
 NULL Value, e.g. no college degree

Key attributes

 Key attributes = attributes whose values are distinct for each

 individual entity (instance) in the entity set
 A key attribute can be used to identify each entity uniquely.
 If so, we are talking about a "primary key"

ERD parts

 (There are lots of variations of ERD notations)

 Entity types = rectangles
 Links/relationships between entity types: diamond shape
 Connections: lines
 Attributes: ovals
 Multivalued attributes: double ovals
 Key attributes: underlined

ERD connections

 Attribute attached to their entity type: straight line

 Composite attributes attached to their component attributes: straight lines

Cardinality

 specifies the maximum number of relationship instances that an entity can participate in
 Cardinality Ratios
 1:1 = one to one
 1:N = one to zero (!) or more
 M:N = zero or more to zero or more

Personal data
Privacy

 = information privacy = data privacy/protection

 Privacy is not IT security
 Protection of people, when their private data are stored

IT security

 Hardware, Software, Networks

 e.g. Using password protection
 e.g. Organizing backups
 e.g. Reliability of networks and software

Personal data - examples

 Date of Birth
 Address, telephone-no.
 Email, Internetprofile (e.g. what I,m buying)
 Bank account No, credit card no.
 Insurance No., heath data (e.g. fitness tracker data, blood
 pressure)
 Religion, political opinion, sexual orientation etc.

Relevant systems and branches, for instance...

 Personal Information Systems/Management

 Address database (customer database, CRM)
 eCommerce, Order systems (e.g. eShop)
 Data Warehouse
 Workgroup Computing
 User adaptation, e.g. eLearning (outcome of software tests...)
 Internet Provider
 Relevant activities
 Acquire data, use data
 Store / modify / transfer / block / delete data
 Make data anonymous, pseudonymization

GDPR

 Regulations!
 Not an EU-directive
 It is law since May 2018
 Wider effect
 Relevant if EU individuals are involved
 Relevant for companies who offer products and services in theEU

 Data breach
  Within 72 hours information to EU authorities and to the customers; If connected with
damage for the customer
 Privacy by design
 If a company plans to collect or process personal data it should plan the risks beforehand
 There are now high penalties

 Processing covers operations performed by manual or automated means

 Examples for operations in general e.g. Collection, Storage, Alteration or deletion,
Transmission
 Examples comprise e.g.
Databases (containing personal data)
Sending promotional emails
Shredding documents (containing personal data)
Posting a photo of a person on a website
Processing of personal data
 related to individuals in the EU
 Processing by Individual, Company, Organisation

Rules don't apply

 e.g. for Legal entities, e.g. companies, political parties, trade unions,ships
 Individuals processing data for purely personal reasons
 Individual use with no connection to professional or commercial activities
 Examples
private party: no GDPR rules, Music festival: GDPR rules

 Explicit Consent
 Breach notification
 Right to access
 Right to be forgotten
 Data portability
 Privacy by design
 Data Protection Officer
 Reference

 Personal data, which is collected or processed

 Check a) purpose and b) legal basis
 Inform everyone, whose personal data you have
 Keep the personal data for only as long as necessary
 Security, Documentation, Contracts ref. GDPR with sub-contractors
 Data Protection Officer needed?

IT- Security
Abstract goals of IT Security

Confidentiality, Correctnes, Integrity, Availability, Liability / Identity

IT Security = Protection against

Deletion (erasure), Alteration (forgery)

Unauthorized use: Blackmail ("Ransomware")

Objects to be protected:

 Software (program, data), Hardware, Networks, Data media, e.g. external harddisk, backup
tape, Infrastructure: e.g. buildings, rooms

 Natural and social disasters: Fire, water, lightning, storm, earthquake, Strike, rebellion,
revolt, Explosion, sabotage

Failures

 Technical failure (hardware): Failure or disruption of the power supply, Malfunction of

hardware, Defective air-conditioning system, Overloaded hardware, incl. wires
 Technical failure (software): Programming errors, Vulnerabilities (gaps for malware)
 Networks Failure or disruption, Overload
 Unintentional activities: Operating error, No reasonable diligence, Lack of training, Ignorance
 Intentional activities: Sabotage, Espionage, Misuse (e.g. using customer data for not allowed
purposes), Terrorism, Theft
 Network-based risks (Malware etc.)

Espionage

 Password Guessing
 Brute-Force-Attacks
 Try (with computer/software) systematically possible combinations
 (of passwords)
 Dictionary Attacks
 Try (with computer/software) systematically possible combinations
 (of passwords), which are in dictionaries/lists
 Social Engineering
 Trying to know peoples birthday, name of spouse, children etc.
 e.g. Asking by telephone employees to give their password,
 pretending to be an IT official
 Sniffing
 Logging (capturing) the data transfer in (internal/wireless) networks
 Monitoring
 e.g. Key logger
 Phishing / X-Spoofing
 Pretending to be another identity, e.g. your bank
 Phishing = username, password fishing

Loss or manipulation:
  Hardware, software, data: Unauthorized use Use of hardware, software, Username,
passwords, company secrets, personal data

Loss of hours of work

restore of data
Claims of third parties
Image loss
Loss of orders
Lack of IT-Security – costs

Safety precautions

 Constructional precautions e.g.

 Location of the building (e.g. computing centre)
 Fire resistent walls, rooms without windows etc.
 Security doors

 Technical precautions e.g.

 Uninterruptable power supply (UPS)
 Alarm systems
 Backup computing centre
 Access control
 Control of ID-Card
 Keyboard lock, e.g. with access card
 Biometrical control: e.g. fingerprint, retina
 Check identity and access rights of users

 Further safety precautions

 Encryption of data, (e.g. via PGP)
 Backup of data
 Electronic signature

 Organisational precautions e.g.

 Backup Measurements against manipulation of hardware, software and networks
 Security handbook
 Backup Computing Center
 Hardware, software, data insurance

 Staff oriented precautions e.g.

 Signing of safety rules
 Training of the staff!

1. Determining threats
2. Estimate (costs of) damage

3. Determine risks (likelihood x consequence)

4. Determine IT-safety measurements (procedures and rules)

5. Calculate costs of the measurements

6. Execution of the procedures

7. Control compliance

8. ("Fire drill" / Jk.)