Level 2
Unit No:
Guided learning hours:
48 hours


Learners will investigate the accidental and malicious security threats that exist to IT systems and data. They will learn about system vulnerabilities and the tools and techniques used to protect users from risks and potential damage, including loss of data, loss of data integrity and unauthorised access to data.

Unit Learning Outcomes


Understand security protection and risk management issues.

AC 1.1:

Internal threats to systems and data may arise from the actions of employees or by an authorised user.

Accidental threats:

  • Accidental damage to physical equipment caused by employee/user
  • Accidental loss of data/power, unintentional disclosure of data, authorised user action
  • Physical damage, destruction by fire, flood or other disaster
  • Risk of bring your own device (BYOD)
  • Unsafe practices
  • The use of external storage devices/media
  • Visiting untrusted websites
  • Downloading/uploading files to/from the internet
  • File-sharing applications.

Malicious threats:

  • Malicious damage caused by employee/unauthorised user action
  • Intentional deletion/editing of data and intentional disclosure of data
  • Dumpster diving and shoulder surfing
  • Theft of equipment or data
  • Malicious damage to equipment or data
  • Unauthorised access by employees to secure areas in a building
  • Unauthorised access to administration functions, security levels and protocols, users overriding security controls
  • Risk of BYOD.

External threats to systems and data may arise when the internet is used to access IT systems and data, or as a result of the actions of unauthorised people, malicious software, theft or physical damage.

Malicious software (malware) used to obtain secure information, viruses, worms, Trojans, ransomware, spyware, adware, rootkits, backdoors, botnets, zero-day attacks.

Unauthorised access by individuals, commercial organisations or governments.

Social engineering used to obtain secure information by deception, to include collection of passwords, data theft, scams, phishing, pharming,dumpster diving and shoulder surfing.

Damage or destruction by fire.

Malicious damage to equipment or data.

Evolving threats:

  • New threats that are constantly being developed/existing threats that evolve over time.
  • Importance of organisations/users applying regular updates either automatically or manually.
  • Support and information is available for organisations/users on known hardware and software vulnerabilities from manufacturers’ help facilities, user forums, FAQs, online tutorials.

AC 1.2:


  • Types of system: individual devices, including PCs, laptops, mobile devices, portable storage devices, networks, including local area network
  • (LAN), wireless local area network (WLAN), file servers, cloud computing systems, online storage, remote server, online software.
  • Connection between systems: connection to the internet, connection to internal networks.
  • Connection methods: wired/wireless (Wi-Fi, Bluetooth, cellular)
  • Interactions between devices: use of storage devices.
  • Operating systems: unsupported versions, updates not installed, mobile devices’ reliance on original equipment manufacturers (OEM) to update system software, legacy systems.
  • Software: zero-day vulnerability, downloads, untrusted sources, illegal copies.
  • Users: limitations of understanding.

Assessment Criteria

  • 1.1

    Describe the types of threat to IT systems and data.

  • 1.2

    Explain the factors that affect the vulnerability of IT systems and data.


Understand measures to protect IT systems and data from current and evolving threats.

AC 2.1:

Software and hardware based protection methods including:

  • Antivirus software and detection techniques, virus signatures, heuristic techniques, techniques for dealing with identified threats.
  • Software and hardware firewalls and the filtering techniques they use, inbound and outbound rules and network addressing.
  • User authentication methods and processes and their advantages and disadvantages: types of biometric authentication (fingerprint, retina, facial recognition), two-step/multi-factor verification (MFA), security tokens, including USB-based keys, knowledge-based authentication, including question and response pairs, certificate-based authentication, digital signature, Completely Automated Public Turing Test To Tell Computers and Humans Apart (CAPTCHA).
  • Login procedures: user name and password, rules for password security, best practice for password complexity/strength, graphical password, password history and time between password changes, account lockout and password reset procedures.
  • Access controls to restrict user access to: applications, folders/shared areas, files – files’ access rights (read only, full access (read/write/execute), read/write, no access), physical resources (access to peripheral devices).
  • Protection of data during transmission: virtual private network (VPN), encryption, digital signatures.
  • Encryption of files, folders, disks.
  • Precautions that can be taken to secure a wireless local area network (WLAN), including: wireless encryption – wired equivalent privacy (WEP), Wi-Fi protected access (WPA2) and Wi-Fi protected setup (WPS), wireless MAC address filtering and hiding the service set identifier (SSID).

AC 2.2: 

  • Comparing the types, characteristics, benefits and risks, their advantages and disadvantages, and the effectiveness of different physical security measures used to protect IT systems and data.
  • Building and IT/network room security: site security locks, card entry, passcode, biometrics– fingerprint, retina, facial recognition, closed circuit television (CCTV), security staff, alarms.
  • Data storage: data protection methods, central storage.
  • Backup procedures: selection of data, timing, frequency, media, planned, automated and manual, type (full, differential and incremental), on- site, off-site and cloud data storage.
  • User/individual actions: logging out of applications, logging off machines, screen locking, shoulder surfing prevention, shredding documents.

Assessment Criteria

  • 2.1

    Explain measures to protect IT systems and data from current and evolving threats.

  • 2.2

    Compare different physical security measures used to protect IT systems and data.


Be able to implement measures to protect IT systems and data.

AC 3.1:

  • Learners could create a user access control system on a network or operating system. For example, a cloud based application could be used to set up shared folders and learners could set various permissions also showing how an individual sharing folders may differ to how a business shares folders. Learners could also demonstrate username and password allocation, and how administrator level access can block users from installing unauthorised applications/software and making system changes that could compromise security. 
  • Where access to hardware and technologies is limited/restricted, learners could create a solution and produce technical specifications and documentation for a user access control system to restrict unauthorised access for a given context.

AC 3.2:

  • Learners could show how the use of ethical hacking and penetration tools supports cybersecurity by performing a range of activities such as port scanning, vulnerability scanning and password cracking. 
  • Where access to hardware and technologies is limited/restricted, learners could demonstrate by explanation how different testing and monitoring measures can be used to test for vulnerabilities, leading to them showing an understanding and justification of the effectiveness of different measures for a given context.

Assessment Criteria

  • 3.1

    Create a user access control system to restrict unauthorised access.

  • 3.2

    Demonstrate how ethical hacking can be used to protect IT systems and data.


Understand current legal and ethical requirements, and IT security policies and procedures.

AC 4.1:

  • Current UK legislation that applies to different IT systems and data.
  • The principles and requirements of the data protection legislation (The Data Protection Act, 2018, GDPR) and its impact on organisations, IT systems and data.
  • Computer Misuse Act 1990, its definitions of illegal practices and the impact it has on organisations, IT systems and data.
  • Other legislation could include: Official Secrets Act 1989, The Privacy and Electronic Communications Regulations 2003.
  • Learners need to be aware IT policies will vary from organisation to organisation but will include procedures that cover the following:
  • Organisation policies (Acceptable Use Policy): internet and email use, security and password procedures (system making you change password frequently) staff responsibilities for the use of IT systems, staff IT security training.
  • Backup procedure and policies (advantages and disadvantages and purposes): frequency, media, planned, automated and manual, type (full, differential and incremental), on-site/off-site/cloud.
  • Data protection and disaster recovery policy.

AC 4.2:

  • Ethical conduct could include: adherence to organisational IT policies and procedures, maintaining confidentiality, adherence to applicable laws, promoting information security, refraining from conflicts of interest.
  • Unethical conduct could include: sabotage, disclosing or misusing confidential information, maliciously injuring the reputation or prospects of an individual or organisation.

Assessment Criteria

  • 4.1

    Summarise the legal requirements and IT security policies and procedures that exist to protect IT systems and data.

  • 4.2

    Explain ethical and unethical conduct when using IT systems.