Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Challenges in implementing effective data security practices
1. CHALLENGES IN IMPLEMENTING EFFECTIVE DATA SECURITY
PRACTICES: AN ORGANIZATION’S PERSPECTIVE
MICHELLE M. CARANGUIAN
ABSTRACT
Through the selection and application of appropriate safeguards, data security helps the
organization's mission by protecting its physical resources, reputation, employees, and other assets.
Unfortunately, this security is sometimes viewed as thwarting the mission of the organization by
imposing poorly selected, bothersome security practices on users, managers, and systems. On the
contrary, effective security practices do not exist for their own sake – they are put in place to protect
important assets and support the overall organizational mission. Security, therefore, is a challenge
the organization has to implement alongside with their human force to plan and review policies and
procedures to protect their data.
The purpose of this study is to consider some of the most challenging aspects of data security
practices in an organizational perspective where protecting business assets are critical. The
importance of this practices needs to be clearly highlighted so that adequate measures will be
implemented, not only enhancing the organization’s daily business procedures and transactions, but
also to ensure that the much needed security measures are implemented with an effective level of
security competency. These are classified as data security analysis aspects (e.g. assessment on the
computer system and personnel), data security policy aspect (e.g. policy violation, revision and
implementation), data security management aspect (e.g. physical/desktop security), data security
evaluation aspect (e.g. reassessment on the management and evaluation)
INTRODUCTION
The volume of personal and often sensitive data being collected and shared by organizations today is
growing exponentially because of technology advances, lower data storage costs and the rise of the
Internet. However, as the amount of data an organization generates and collects has increased, so
has the risk the organization faces of losing data and experiencing security breaches. Indeed, many
organizations have had their data compromised and have paid steep prices to repair the damage,
fines, share-price declines and overall erosion of customer trust. There is no doubt that
organizations today are generating more data than ever. In fact, according to ASR (2010), despite the
current economic downturn, the volume of digital data generated in 2008 increased 3 percent more
than forecast and is expected to double every 18 months.
Along with this increase in the volume of data has come a substantial rise in the potential for
organizations to experience incidents in which their data is compromised in some way. Data privacy
and protection shortcomings can do irreparable harm to companies’ balance sheets, not to mention
their brands, credibility and customer trust and relationships Danchev (2003).
2. The purpose of this research is to highlight on the current state of data privacy and protection and
to understand how data privacy perceptions and practices of the organization influence data
protection practices.
CONCEPTUAL FRAMEWORK
Previous studies have used data security practices or information security to support the premise
that it is a necessity in any computing environment. (e.g., Brock 1998 Davis and Payne 2004,
Danchev. 2003), and results further show that data security practices are significantly and positively
correlated with data security policies and implementation. Garette (2004) and Puhakainen (2006)
imply that effective information security and privacy policies actually enable successful business
operation and yet, organizations have typically focused on technical and procedural security
measures when implementing their information security solutions. Organizational data privacy
utilized the researchers (Garbars 2002; Kadel 2004; Danchev 2003) to investigate the role of staff
members involved in the implementation of data security practices. They stressed that within
organizations, these people are the employees who use the technology to get their jobs done, serve
the needs of customers, and keep the organization running, thus staff should also be considered as
one factor in achieving a successful information security.
.
According to Kadel (2004). Problem arise when organizations encounter difficulties in
implementing these practices much. Because of limitations, it is important that organizations identify
and employ methods that efficiently achieve the benefits of risk assessment while avoiding costly
attempts to develop seemingly precise results that are of questionable reliability. Brock (1998); Davis
and Payne (2004), The data security practices guide organizations on the types of controls, objectives
and procedures that comprise an effective security program. The practices show what should be
done to enhance or measure an existing data security program or to aid in the development of a new
program. The practices provide a common ground for determining the security of an organization
and build confidence when conducting multi-organizational business.
REVIEW OF RELATED LITERATURE
This research considers various aspects, possibly not all, of data management that seem to be
important for running an organization. It shows the considered aspects and challenges classified as
Data Security Analysis and Assessment – (What are we trying to protect, and how are we going to
protect it?). Data Security Management - (What are these threats and who are involved in it?). Data
Security Policy – (What acts are allowable and what is not?). Data Security Monitoring and
Maintenance – (How do we know if the policies and practices are properly implemented and was it
effective enough?)
DATA SECURITY ANALYSIS AND ASSESSMENT
CHALLENGE: What are we trying to protect, and how are we going to protect it?
Before drafting the data security policy, a thorough analysis should be conducted for identifying
security requirements. HKSAR (2005). Identifying the assets to be protected that is everything that
is essential for organizational operation or related to data privacy must be protected. As the
importance of different assets may vary in different organizations, assets identification is specific.
3. According to Danchev (2003), In order to be able to conduct a successful analysis, you need to get
well acquainted with the ways a company operates and approaches would be identifying what you're
trying to protect and whom you're trying to protect it from, define what the potential risks are to any
of your Information Asset and consider monitoring the process continually in order to be up to date
with the latest security weaknesses. He also suggest possible categories to look at like process,
technology and personnel. The basic approaches are: identify what you're trying to protect, look at
whom you're trying to protect it from, define what the potential risks are to any of your Information
Assets and lastly consider monitoring the process continually in order to be up to date with the latest
security weaknesses. He further argues possible list of categories to look and these are first,
Processes where policies, procedures and guidelines were part of the organizational operation.
Second, Technology where identifying the risks of a potential security problem due to outdated
software, infrequent patches and updates to new versions, etc. Also take into account the potential
issues with staff installing various file sharing apps, IM (chat) software, entertainment or freeware
software coming from unknown and untrustworthy sources. Lastly, Personnel where those who
have access to confidential information, sensitive data, those who "own", administer or in any way
modify existing databases.
DATA SECURITY MANAGEMENT
CHALLENGE: What are these threats and who are involved in it?
In data security management, it’s very important to recognize its basic, most fundamental
assumption that data cannot ever be fully secured. There is always risk, whether it is from a trusted
employee who defrauds the system or a fire that destroys critical resources. A task not only to a
specific employee only but to the whole team. It requires the involvement of the entire organization
—from senior leaders/executives providing the strategic vision and top-level goals and objectives
for the organization; to mid-level leaders planning, executing, and managing projects; to individuals
on the front lines operating the information systems supporting the organization’s
missions/business functions according to NIST (1995).
OLA (1992) stressed that when evaluating options for managing computer data, organizations
should determine whether the options they are considering follow the best practices of conducting
policies, adopting computer policies, and communicating policies to staff who use the computers.
Organizations should also consider whether the management options have sufficient technical
expertise and provide training and support for users. Finally, they need to assess whether the options
provide adequate computer security. However, Danchev (2003) stressed out that after finding out on
the company's information assets, organization should now be able to properly manage all the
threats posed by each of their resources tru System Access where best practices for password
creation, passwords aging, minimum password length, characters to be included while choosing
passwords, password maintenance, tips for safeguarding (any) accounting data; the dangers to each
of these issues must be explained in the security awareness program;
Virus Protection where best practices for malicious code protection, how often the system should be
scanned, how often, if not automatically, should Live Update of the software database be done, tips
for protection against (any) malicious code(viruses/trojans/worms); Software Installation where it is
freeware software forbidden, if allowed, under what conditions, how is software piracy tolerated, are
entertainment/games allowed or completely prohibited as well the installation of any other program
coming from unknown and untrustworthy sources; Removable Media(CD's, floppy) where
4. "Acceptable Use" measures (perhaps by way of a AUP – Acceptable Use Policy) need to be
established, the dangers of potential malicious code entering the company network or any other
critical system need to be explained as well; System Backups where the advantage of having backups
needs to be explained; who is responsible, and how often should the data be backed up;
Maintenance, where the risks of a potential physical security breach need to be briefly explained;
Incident Handling where it define what a suspicious event is, to whom it needs to be reported, and
what further steps need to be taken.
Staff need to understand why some activities are prohibited, what the impact of certain dangers can
have on the company, actions they must follow if and when a potential security problem has been
suspected or discovered. By involving staff in a Security Awareness Program staff will not just
broaden their knowledge on the information security field, but also learn how to act in a secure
manner while using any of the company's information assets. The Security Awareness Program is
often divided into two parts, one being the 'awareness' section, the other, the 'training'. The purpose
of awareness is to provide staff with a better understanding of security risks and the importance of
security to the daily business procedures of the company. The training part is aimed at covering a lot
of potential security problems in detail, as well as introducing a set of easy to understand (and
follow) rules to reduce the risk of possible problems.
Thomas (2008) points out that while security program awareness is beneficial in involving the staff,
it also has a drawback. For training and awareness, an example of a good practice is to have
innovative training and awareness campaigns that focus on the financial crime risks arising from
poor data security, as well as the legal and regulatory requirements to protect customer data.
Another good practice is to have a clear understanding among staff about why data security is
relevant to their work and what they must do to comply with relevant policies and procedures. A
simple, memorable and easily-digestible guidance for staff on good data security practice and testing
of staff understanding of data security policies on induction and annually thereafter are also
acceptable and properly guided practices and lastly, competitions, posters, screensavers and group
discussion to raise interest in the subject. On the other hand, poor practice for training and
awareness are no training to communicate policies and procedures, managers assuming that
employees understand data security risk without any training, data security policies which are very
lengthy, complicated and difficult to read, relying on staff signing an annual declaration saying they
have read policy documents without any further testing and staff being given no incentive to learn
about data security.
DATA SECURITY POLICY
CHALLENGE: What acts are allowable and what is not?
Danchev (2003) have identified various beliefs in Security Policy as a good foundation for the
successful implementation of security related projects in the future, this is without a doubt the first
measure that must be taken to reduce the risk of unacceptable use of any of the company's
information resources. He also stated that the development and the proper implementation of a
security policy is highly beneficial as it will not only turn all of your staff into participants in the
company's effort to secure its communications but also help reduce the risk of a potential security
breach through "human-factor" mistakes.
5. This statement was contradict to HKSAR(2005) wherein before drafting the data security policy, a
thorough risk analysis should be conducted for identifying security requirements. First, identify
assets to be protected. The assets could be data or systems but the importance of different assets
may vary in different organizations. Second, Identify the threats and vulnerabilities followed by
assessment of risks. Thomas (2008) suggested that if a firm’s management is committed to ensuring
data security, it is likely to have specific written policies and procedures covering the subject. He
stated that he’s not convinced by firms that claimed to have detailed data security rules but were
unable to produce written policies and procedures. He insists that small firms, with their more-
manageable risks, did not always have formal policy documents and used simple guides of ‘Do’s and
Don’ts’ as an effective way of setting out expectations and communicating them. However, in a
worrying number of cases, firms failed to record policies and procedures at all. In these firms, senior
management were effectively relying on the judgment of individual staff – often with little or no
understanding of the risks – as their only data security control. This approach was typical of some
small firms whose managers appeared to treat data security more as a matter of office administration
than as a potentially significant risk that could affect their business, reputation and customers. Based
on the findings, the types of effective policies are supplemented, because policy may be written at a
broad level, organizations also develop standards, guidelines, and procedures that offer users,
managers, and others a clearer approach to implementing policy and meeting organizational goals.
Standards, guidelines, and procedures may be disseminated throughout an organization via
handbooks, regulations, or manuals. Visibility also aids implementation of policy by helping to
ensure policy is fully communicated throughout the organization. Without management support, the
policy will become an empty token of management's "commitment" to security. To make the policy
consistent, other directives, laws, organizational culture, guidelines, procedures, and organizational
mission should be considered.
DATA SECURITY MONITORING AND MAINTENANCE
CHALLENGE: How do we know if the policies and practices are properly implemented and was it
effective enough?
Monitoring the effectiveness of the security program can be one of the most challenging aspects of
running a security program, but also one of the most important. Organization have assessed the
overall risk, created a program plan and security policies. They have given out guidance and trained
the individuals in implementing the policy. Now it’s time to see if they have actually increased the
security posture of the organization. In large organizations and limited centralized data security staff
organizations will have to rely on a combination of self-reporting and hands on reviews. It is
important that ongoing monitoring are carried out regularly so that existing procedures can be
updated and refined to changes in working conditions and new technologies. However, according to
HKSAR (2005), not all data may be of the same level of importance or sensitivity. For instance,
information such as promotional leaflets does not need the same level of protection as say payroll
data. To maximize resources, organizational data should be prioritized according to its security level,
with security effort focused more on the most important data first. It is also vital to assess the
locations of all permanent and temporary places for storing company data, and classify their
strengths in terms of data protection accordingly.
PARADIGM OF THE STUDY
6. Data
Security
Practices H3
H2 H5 H1
H4
Data Data Data Data
Security Security Security Security
Policy Monitoring Managemen
CONCLUSION
This research has been created mainly with the idea of answering the most common questions a
manager could ask as far as Data Security is concerned. Its purpose is to explain in a brief, yet
effective way why from
An organization’s point of view one would want to invest in securing the core Information Assets of
the company, and the potential risks attached to cutting the Information Security budget. A lot of
businesses still tend to ask the question why they should invest in information security, as sensitive
data is backed up every day and in the event of an intrusion, virus outbreak or data corruption, data
and business processes can be restored and brought back up in a matter of minutes. Whereas
theoretically there is nothing wrong with this mode of thinking and the procedures that are in place
do provide a certain degree of security, practice has shown time and time over again that the
"classic" security methods such as virus scanner/backup/restore may not be enough to 'hold the
fort'. Security is a never ending process that requires constant monitoring, updates, investment,
research and implementation of new technologies; not forgetting the most important point:
education of staff. Because no matter the amount of money an organization prepared to spend, and
no matter the technologies involved, the secret lies within the individual who configures the security
systems.
REFERENCES
Advisen Special Report 2010 Data Security Issues Escalate as Risk Management Evolves Swett and
Crawford
Ajibuwa, Festus O. 2002. Data and Information Security in Modern Day Businesses Atlantic International
University
Blakely, Bob; Mcdermott, Ellen; Geer, Dan. 2001 Information Security is Information Risk Management.
ACM Press.
Brock, Jack L., 1998, Data Security Risk Assessment of Leading Organiztion.
United States General Accounting Office.
Cresson, Charles 2008. The Importance of Defining and Documenting Information Security Roles and
Responsibilities Information Shield Publications
Danchev, Dancho 2003. Building and Implementing a Successful Information Security Policy.
Windows Security
Davis, Brian; Payne, Shirley. 2004 Information Technology risk Management Program
7. University of Virginia
Garbars, Kurt 2002. Implementing an Effective IT Security Program SANS Institute InfoSec Reading
Garrette, Chris 2004. Developing a Security-Awareness Culture - Improving Security Decision Making
SANS Institute InfoSec Reading Room
Gerschefske, Mark. 2002. IT Security Risk Management. Verizon Business
Goh, Rita 2003. Information Security: The Importance of the Human Element Preston University
Hunter, Bradley R. 2007. Data Loss Prevention Best Practices: Managing Data in the
Enterprise.Ironport Systems.
Kadel, Lee A 2004.; Designing and Implementing an Effective Information Security Program: Protecting
the Data Assets of Individuals, Small and Large Businesses SANS Institute InfoSec Reading
Room
Kent, Karen; Souppaya, Muruggiah. 2006. Guide to Computer Security Log Management.
National Institute of Standard Technology
Lineman, David J. 2008. Enabling Business with Information Security and Privacy Policies Information
Shield Publications
Martens, Benedikt,; Teuteberg, Frank. 2009 Why Risk Management Matters In It Outsourcing – A
Systematic Literature Review And Elements Of A Research Agenda European Conference on
Information Systems
Moteff, John. 2004, Computer Security: A Summary of Selected federal laws, executive orders
and presidential Directives. Congressional Research Directives.
National Institute of Standards and Technology. 1995. An Introduction to Computer Security: A NIST
Handbook. Special Publication 800-12.
Puhakainen, Petri. 2006. A Design Theory For Information Security Awareness Oulu University Press
Soohoo, Kevin j., 2000. How much is Enough? A Risk Management Approach to Computer
Security. Consortium for Research on Information Security and Policy
Stoneburner, G., Goguen, A., & Feringa, A. (2002, July). Risk management guide for
information technology systems. National Institute of Standards Technology.
Thomas, Richard. 2008; Data Security in Financial Services: Firm’s control to prevent data loss
by their employees and third party suppliers. Financial Crime and Intelligence Research Division