SlideShare una empresa de Scribd logo

Challenges in implementing effective data security practices

Descargar como DOC, PDF
W
wacasr
EducaciónTecnología
1 de 7
CHALLENGES IN IMPLEMENTING EFFECTIVE DATA SECURITY PRACTICES: AN ORGANIZATION’S PERSPECTIVE MICHELLE M. CARANGUIAN ABSTRACT Through the selection and application of appropriate safeguards, data security helps the organization's mission by protecting its physical resources, reputation, employees, and other assets. Unfortunately, this security is sometimes viewed as thwarting the mission of the organization by imposing poorly selected, bothersome security practices on users, managers, and systems. On the contrary, effective security practices do not exist for their own sake – they are put in place to protect important assets and support the overall organizational mission. Security, therefore, is a challenge the organization has to implement alongside with their human force to plan and review policies and procedures to protect their data. The purpose of this study is to consider some of the most challenging aspects of data security practices in an organizational perspective where protecting business assets are critical. The importance of this practices needs to be clearly highlighted so that adequate measures will be implemented, not only enhancing the organization’s daily business procedures and transactions, but also to ensure that the much needed security measures are implemented with an effective level of security competency. These are classified as data security analysis aspects (e.g. assessment on the computer system and personnel), data security policy aspect (e.g. policy violation, revision and implementation), data security management aspect (e.g. physical/desktop security), data security evaluation aspect (e.g. reassessment on the management and evaluation) INTRODUCTION The volume of personal and often sensitive data being collected and shared by organizations today is growing exponentially because of technology advances, lower data storage costs and the rise of the Internet. However, as the amount of data an organization generates and collects has increased, so has the risk the organization faces of losing data and experiencing security breaches. Indeed, many organizations have had their data compromised and have paid steep prices to repair the damage, fines, share-price declines and overall erosion of customer trust. There is no doubt that organizations today are generating more data than ever. In fact, according to ASR (2010), despite the current economic downturn, the volume of digital data generated in 2008 increased 3 percent more than forecast and is expected to double every 18 months. Along with this increase in the volume of data has come a substantial rise in the potential for organizations to experience incidents in which their data is compromised in some way. Data privacy and protection shortcomings can do irreparable harm to companies’ balance sheets, not to mention their brands, credibility and customer trust and relationships Danchev (2003).
The purpose of this research is to highlight on the current state of data privacy and protection and to understand how data privacy perceptions and practices of the organization influence data protection practices. CONCEPTUAL FRAMEWORK Previous studies have used data security practices or information security to support the premise that it is a necessity in any computing environment. (e.g., Brock 1998 Davis and Payne 2004, Danchev. 2003), and results further show that data security practices are significantly and positively correlated with data security policies and implementation. Garette (2004) and Puhakainen (2006) imply that effective information security and privacy policies actually enable successful business operation and yet, organizations have typically focused on technical and procedural security measures when implementing their information security solutions. Organizational data privacy utilized the researchers (Garbars 2002; Kadel 2004; Danchev 2003) to investigate the role of staff members involved in the implementation of data security practices. They stressed that within organizations, these people are the employees who use the technology to get their jobs done, serve the needs of customers, and keep the organization running, thus staff should also be considered as one factor in achieving a successful information security. . According to Kadel (2004). Problem arise when organizations encounter difficulties in implementing these practices much. Because of limitations, it is important that organizations identify and employ methods that efficiently achieve the benefits of risk assessment while avoiding costly attempts to develop seemingly precise results that are of questionable reliability. Brock (1998); Davis and Payne (2004), The data security practices guide organizations on the types of controls, objectives and procedures that comprise an effective security program. The practices show what should be done to enhance or measure an existing data security program or to aid in the development of a new program. The practices provide a common ground for determining the security of an organization and build confidence when conducting multi-organizational business. REVIEW OF RELATED LITERATURE This research considers various aspects, possibly not all, of data management that seem to be important for running an organization. It shows the considered aspects and challenges classified as Data Security Analysis and Assessment – (What are we trying to protect, and how are we going to protect it?). Data Security Management - (What are these threats and who are involved in it?). Data Security Policy – (What acts are allowable and what is not?). Data Security Monitoring and Maintenance – (How do we know if the policies and practices are properly implemented and was it effective enough?) DATA SECURITY ANALYSIS AND ASSESSMENT CHALLENGE: What are we trying to protect, and how are we going to protect it? Before drafting the data security policy, a thorough analysis should be conducted for identifying security requirements. HKSAR (2005). Identifying the assets to be protected that is everything that is essential for organizational operation or related to data privacy must be protected. As the importance of different assets may vary in different organizations, assets identification is specific.
According to Danchev (2003), In order to be able to conduct a successful analysis, you need to get well acquainted with the ways a company operates and approaches would be identifying what you're trying to protect and whom you're trying to protect it from, define what the potential risks are to any of your Information Asset and consider monitoring the process continually in order to be up to date with the latest security weaknesses. He also suggest possible categories to look at like process, technology and personnel. The basic approaches are: identify what you're trying to protect, look at whom you're trying to protect it from, define what the potential risks are to any of your Information Assets and lastly consider monitoring the process continually in order to be up to date with the latest security weaknesses. He further argues possible list of categories to look and these are first, Processes where policies, procedures and guidelines were part of the organizational operation. Second, Technology where identifying the risks of a potential security problem due to outdated software, infrequent patches and updates to new versions, etc. Also take into account the potential issues with staff installing various file sharing apps, IM (chat) software, entertainment or freeware software coming from unknown and untrustworthy sources. Lastly, Personnel where those who have access to confidential information, sensitive data, those who "own", administer or in any way modify existing databases. DATA SECURITY MANAGEMENT CHALLENGE: What are these threats and who are involved in it? In data security management, it’s very important to recognize its basic, most fundamental assumption that data cannot ever be fully secured. There is always risk, whether it is from a trusted employee who defrauds the system or a fire that destroys critical resources. A task not only to a specific employee only but to the whole team. It requires the involvement of the entire organization —from senior leaders/executives providing the strategic vision and top-level goals and objectives for the organization; to mid-level leaders planning, executing, and managing projects; to individuals on the front lines operating the information systems supporting the organization’s missions/business functions according to NIST (1995). OLA (1992) stressed that when evaluating options for managing computer data, organizations should determine whether the options they are considering follow the best practices of conducting policies, adopting computer policies, and communicating policies to staff who use the computers. Organizations should also consider whether the management options have sufficient technical expertise and provide training and support for users. Finally, they need to assess whether the options provide adequate computer security. However, Danchev (2003) stressed out that after finding out on the company's information assets, organization should now be able to properly manage all the threats posed by each of their resources tru System Access where best practices for password creation, passwords aging, minimum password length, characters to be included while choosing passwords, password maintenance, tips for safeguarding (any) accounting data; the dangers to each of these issues must be explained in the security awareness program; Virus Protection where best practices for malicious code protection, how often the system should be scanned, how often, if not automatically, should Live Update of the software database be done, tips for protection against (any) malicious code(viruses/trojans/worms); Software Installation where it is freeware software forbidden, if allowed, under what conditions, how is software piracy tolerated, are entertainment/games allowed or completely prohibited as well the installation of any other program coming from unknown and untrustworthy sources; Removable Media(CD's, floppy) where
"Acceptable Use" measures (perhaps by way of a AUP – Acceptable Use Policy) need to be established, the dangers of potential malicious code entering the company network or any other critical system need to be explained as well; System Backups where the advantage of having backups needs to be explained; who is responsible, and how often should the data be backed up; Maintenance, where the risks of a potential physical security breach need to be briefly explained; Incident Handling where it define what a suspicious event is, to whom it needs to be reported, and what further steps need to be taken. Staff need to understand why some activities are prohibited, what the impact of certain dangers can have on the company, actions they must follow if and when a potential security problem has been suspected or discovered. By involving staff in a Security Awareness Program staff will not just broaden their knowledge on the information security field, but also learn how to act in a secure manner while using any of the company's information assets. The Security Awareness Program is often divided into two parts, one being the 'awareness' section, the other, the 'training'. The purpose of awareness is to provide staff with a better understanding of security risks and the importance of security to the daily business procedures of the company. The training part is aimed at covering a lot of potential security problems in detail, as well as introducing a set of easy to understand (and follow) rules to reduce the risk of possible problems. Thomas (2008) points out that while security program awareness is beneficial in involving the staff, it also has a drawback. For training and awareness, an example of a good practice is to have innovative training and awareness campaigns that focus on the financial crime risks arising from poor data security, as well as the legal and regulatory requirements to protect customer data. Another good practice is to have a clear understanding among staff about why data security is relevant to their work and what they must do to comply with relevant policies and procedures. A simple, memorable and easily-digestible guidance for staff on good data security practice and testing of staff understanding of data security policies on induction and annually thereafter are also acceptable and properly guided practices and lastly, competitions, posters, screensavers and group discussion to raise interest in the subject. On the other hand, poor practice for training and awareness are no training to communicate policies and procedures, managers assuming that employees understand data security risk without any training, data security policies which are very lengthy, complicated and difficult to read, relying on staff signing an annual declaration saying they have read policy documents without any further testing and staff being given no incentive to learn about data security. DATA SECURITY POLICY CHALLENGE: What acts are allowable and what is not? Danchev (2003) have identified various beliefs in Security Policy as a good foundation for the successful implementation of security related projects in the future, this is without a doubt the first measure that must be taken to reduce the risk of unacceptable use of any of the company's information resources. He also stated that the development and the proper implementation of a security policy is highly beneficial as it will not only turn all of your staff into participants in the company's effort to secure its communications but also help reduce the risk of a potential security breach through "human-factor" mistakes.
This statement was contradict to HKSAR(2005) wherein before drafting the data security policy, a thorough risk analysis should be conducted for identifying security requirements. First, identify assets to be protected. The assets could be data or systems but the importance of different assets may vary in different organizations. Second, Identify the threats and vulnerabilities followed by assessment of risks. Thomas (2008) suggested that if a firm’s management is committed to ensuring data security, it is likely to have specific written policies and procedures covering the subject. He stated that he’s not convinced by firms that claimed to have detailed data security rules but were unable to produce written policies and procedures. He insists that small firms, with their more- manageable risks, did not always have formal policy documents and used simple guides of ‘Do’s and Don’ts’ as an effective way of setting out expectations and communicating them. However, in a worrying number of cases, firms failed to record policies and procedures at all. In these firms, senior management were effectively relying on the judgment of individual staff – often with little or no understanding of the risks – as their only data security control. This approach was typical of some small firms whose managers appeared to treat data security more as a matter of office administration than as a potentially significant risk that could affect their business, reputation and customers. Based on the findings, the types of effective policies are supplemented, because policy may be written at a broad level, organizations also develop standards, guidelines, and procedures that offer users, managers, and others a clearer approach to implementing policy and meeting organizational goals. Standards, guidelines, and procedures may be disseminated throughout an organization via handbooks, regulations, or manuals. Visibility also aids implementation of policy by helping to ensure policy is fully communicated throughout the organization. Without management support, the policy will become an empty token of management's "commitment" to security. To make the policy consistent, other directives, laws, organizational culture, guidelines, procedures, and organizational mission should be considered. DATA SECURITY MONITORING AND MAINTENANCE CHALLENGE: How do we know if the policies and practices are properly implemented and was it effective enough? Monitoring the effectiveness of the security program can be one of the most challenging aspects of running a security program, but also one of the most important. Organization have assessed the overall risk, created a program plan and security policies. They have given out guidance and trained the individuals in implementing the policy. Now it’s time to see if they have actually increased the security posture of the organization. In large organizations and limited centralized data security staff organizations will have to rely on a combination of self-reporting and hands on reviews. It is important that ongoing monitoring are carried out regularly so that existing procedures can be updated and refined to changes in working conditions and new technologies. However, according to HKSAR (2005), not all data may be of the same level of importance or sensitivity. For instance, information such as promotional leaflets does not need the same level of protection as say payroll data. To maximize resources, organizational data should be prioritized according to its security level, with security effort focused more on the most important data first. It is also vital to assess the locations of all permanent and temporary places for storing company data, and classify their strengths in terms of data protection accordingly. PARADIGM OF THE STUDY
Data Security Practices H3 H2 H5 H1 H4 Data Data Data Data Security Security Security Security Policy Monitoring Managemen CONCLUSION This research has been created mainly with the idea of answering the most common questions a manager could ask as far as Data Security is concerned. Its purpose is to explain in a brief, yet effective way why from An organization’s point of view one would want to invest in securing the core Information Assets of the company, and the potential risks attached to cutting the Information Security budget. A lot of businesses still tend to ask the question why they should invest in information security, as sensitive data is backed up every day and in the event of an intrusion, virus outbreak or data corruption, data and business processes can be restored and brought back up in a matter of minutes. Whereas theoretically there is nothing wrong with this mode of thinking and the procedures that are in place do provide a certain degree of security, practice has shown time and time over again that the "classic" security methods such as virus scanner/backup/restore may not be enough to 'hold the fort'. Security is a never ending process that requires constant monitoring, updates, investment, research and implementation of new technologies; not forgetting the most important point: education of staff. Because no matter the amount of money an organization prepared to spend, and no matter the technologies involved, the secret lies within the individual who configures the security systems. REFERENCES Advisen Special Report 2010 Data Security Issues Escalate as Risk Management Evolves Swett and Crawford Ajibuwa, Festus O. 2002. Data and Information Security in Modern Day Businesses Atlantic International University Blakely, Bob; Mcdermott, Ellen; Geer, Dan. 2001 Information Security is Information Risk Management. ACM Press. Brock, Jack L., 1998, Data Security Risk Assessment of Leading Organiztion. United States General Accounting Office. Cresson, Charles 2008. The Importance of Defining and Documenting Information Security Roles and Responsibilities Information Shield Publications Danchev, Dancho 2003. Building and Implementing a Successful Information Security Policy. Windows Security Davis, Brian; Payne, Shirley. 2004 Information Technology risk Management Program
University of Virginia Garbars, Kurt 2002. Implementing an Effective IT Security Program SANS Institute InfoSec Reading Garrette, Chris 2004. Developing a Security-Awareness Culture - Improving Security Decision Making SANS Institute InfoSec Reading Room Gerschefske, Mark. 2002. IT Security Risk Management. Verizon Business Goh, Rita 2003. Information Security: The Importance of the Human Element Preston University Hunter, Bradley R. 2007. Data Loss Prevention Best Practices: Managing Data in the Enterprise.Ironport Systems. Kadel, Lee A 2004.; Designing and Implementing an Effective Information Security Program: Protecting the Data Assets of Individuals, Small and Large Businesses SANS Institute InfoSec Reading Room Kent, Karen; Souppaya, Muruggiah. 2006. Guide to Computer Security Log Management. National Institute of Standard Technology Lineman, David J. 2008. Enabling Business with Information Security and Privacy Policies Information Shield Publications Martens, Benedikt,; Teuteberg, Frank. 2009 Why Risk Management Matters In It Outsourcing – A Systematic Literature Review And Elements Of A Research Agenda European Conference on Information Systems Moteff, John. 2004, Computer Security: A Summary of Selected federal laws, executive orders and presidential Directives. Congressional Research Directives. National Institute of Standards and Technology. 1995. An Introduction to Computer Security: A NIST Handbook. Special Publication 800-12. Puhakainen, Petri. 2006. A Design Theory For Information Security Awareness Oulu University Press Soohoo, Kevin j., 2000. How much is Enough? A Risk Management Approach to Computer Security. Consortium for Research on Information Security and Policy Stoneburner, G., Goguen, A., & Feringa, A. (2002, July). Risk management guide for information technology systems. National Institute of Standards Technology. Thomas, Richard. 2008; Data Security in Financial Services: Firm’s control to prevent data loss by their employees and third party suppliers. Financial Crime and Intelligence Research Division

Recomendados

Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information SecurityJohn Macasio
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...ijcsit
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHanaysha
 

Recomendados

Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsOxfordCambridge
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy Dam Frank
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information SecurityJohn Macasio
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...
RANKING CRITERIA OF ENTERPRISE INFORMATION SECURITY ARCHITECTURE USING FUZZY ...ijcsit
 
How to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHow to write an IT security policy guide - Tareq Hanaysha
How to write an IT security policy guide - Tareq HanayshaHanaysha
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Information Security Governance #2A
Information Security Governance #2A Information Security Governance #2A
Information Security Governance #2A Marius FAILLOT DEVARRE
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...IT-Toolkits.org
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 
The benefits of technology standards it-toolkits
The benefits of technology standards it-toolkitsThe benefits of technology standards it-toolkits
The benefits of technology standards it-toolkitsIT-Toolkits.org
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...IJNSA Journal
 
[IJCT-V3I2P29] Authors:Karandeep Kaur
[IJCT-V3I2P29] Authors:Karandeep Kaur[IJCT-V3I2P29] Authors:Karandeep Kaur
[IJCT-V3I2P29] Authors:Karandeep KaurIJET - International Journal of Engineering and Techniques
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 
Implementing security
Implementing securityImplementing security
Implementing securityDhani Ahmad
 
Return on Investment of Diversity and Inclusion Initiatives in Information Go...
Return on Investment of Diversity and Inclusion Initiatives in Information Go...Return on Investment of Diversity and Inclusion Initiatives in Information Go...
Return on Investment of Diversity and Inclusion Initiatives in Information Go...International Journal of Modern Research in Engineering and Technology
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsIT-Toolkits.org
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsMarius FAILLOT DEVARRE
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security GovernanceLeo de Sousa
 
Making IA Real: Planning an Information Architecture Strategy
Making IA Real: Planning an Information Architecture StrategyMaking IA Real: Planning an Information Architecture Strategy
Making IA Real: Planning an Information Architecture StrategyChiara Fox Ogan
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
McNair_Paper_Hill
McNair_Paper_HillMcNair_Paper_Hill
McNair_Paper_HillDennis Hill
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 
MITS Advanced Research TechniquesResearch ProposalStudent’s Na
MITS Advanced Research TechniquesResearch ProposalStudent’s NaMITS Advanced Research TechniquesResearch ProposalStudent’s Na
MITS Advanced Research TechniquesResearch ProposalStudent’s NaEvonCanales257
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 

Más contenido relacionado

La actualidad más candente

Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...IT-Toolkits.org
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 
The benefits of technology standards it-toolkits
The benefits of technology standards it-toolkitsThe benefits of technology standards it-toolkits
The benefits of technology standards it-toolkitsIT-Toolkits.org
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...IJNSA Journal
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 
Implementing security
Implementing securityImplementing security
Implementing securityDhani Ahmad
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsIT-Toolkits.org
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsMarius FAILLOT DEVARRE
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security GovernanceLeo de Sousa
 
Making IA Real: Planning an Information Architecture Strategy
Making IA Real: Planning an Information Architecture StrategyMaking IA Real: Planning an Information Architecture Strategy
Making IA Real: Planning an Information Architecture StrategyChiara Fox Ogan
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & StrategyTony Hauxwell
 
McNair_Paper_Hill
McNair_Paper_HillMcNair_Paper_Hill
McNair_Paper_HillDennis Hill
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Manuel Guillen
 

La actualidad más candente (20)

Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Information Security Governance #2A
Information Security Governance #2A Information Security Governance #2A
Information Security Governance #2A
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
 
The benefits of technology standards it-toolkits
The benefits of technology standards it-toolkitsThe benefits of technology standards it-toolkits
The benefits of technology standards it-toolkits
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
 
[IJCT-V3I2P29] Authors:Karandeep Kaur
[IJCT-V3I2P29] Authors:Karandeep Kaur[IJCT-V3I2P29] Authors:Karandeep Kaur
[IJCT-V3I2P29] Authors:Karandeep Kaur
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
Implementing security
Implementing securityImplementing security
Implementing security
 
Return on Investment of Diversity and Inclusion Initiatives in Information Go...
Return on Investment of Diversity and Inclusion Initiatives in Information Go...Return on Investment of Diversity and Inclusion Initiatives in Information Go...
Return on Investment of Diversity and Inclusion Initiatives in Information Go...
 
Fundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkitsFundamentals of data security policy in i.t. management it-toolkits
Fundamentals of data security policy in i.t. management it-toolkits
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
Effective IT Security Governance
Effective IT Security GovernanceEffective IT Security Governance
Effective IT Security Governance
 
Making IA Real: Planning an Information Architecture Strategy
Making IA Real: Planning an Information Architecture StrategyMaking IA Real: Planning an Information Architecture Strategy
Making IA Real: Planning an Information Architecture Strategy
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
 
Information Systems Security & Strategy
Information Systems Security & StrategyInformation Systems Security & Strategy
Information Systems Security & Strategy
 
McNair_Paper_Hill
McNair_Paper_HillMcNair_Paper_Hill
McNair_Paper_Hill
 
Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020Kmicro Cybersecurity Offerings 2020
Kmicro Cybersecurity Offerings 2020
 

Similar a Challenges in implementing effective data security practices

MITS Advanced Research TechniquesResearch ProposalStudent’s Na
MITS Advanced Research TechniquesResearch ProposalStudent’s NaMITS Advanced Research TechniquesResearch ProposalStudent’s Na
MITS Advanced Research TechniquesResearch ProposalStudent’s NaEvonCanales257
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...Angie Miller
 
DIRECTIONSRate each statement by how well the behavior describe.docx
DIRECTIONSRate each statement by how well the behavior describe.docxDIRECTIONSRate each statement by how well the behavior describe.docx
DIRECTIONSRate each statement by how well the behavior describe.docxcuddietheresa
 
Implementing IT Security Controls
Implementing IT Security ControlsImplementing IT Security Controls
Implementing IT Security ControlsThomas Jones
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Riskamiable_indian
 
IMT500 Foundations Of Information Management.docx
IMT500 Foundations Of Information Management.docxIMT500 Foundations Of Information Management.docx
IMT500 Foundations Of Information Management.docxwrite4
 
ISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloJohn Intindolo
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policyRossMob1
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxstirlingvwriters
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfalokkesh
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFLaurie Mosca-Cocca
 
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxRunning Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxhealdkathaleen
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
Risk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdfRisk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdfharihelectronicspune
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael Priyanka Aash
 
Posting 1 Reply required for belowBusiness costs or risks of p.docx
Posting 1 Reply required for belowBusiness costs or risks of p.docxPosting 1 Reply required for belowBusiness costs or risks of p.docx
Posting 1 Reply required for belowBusiness costs or risks of p.docxharrisonhoward80223
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docxdurantheseldine
 

Similar a Challenges in implementing effective data security practices (20)

MITS Advanced Research TechniquesResearch ProposalStudent’s Na
MITS Advanced Research TechniquesResearch ProposalStudent’s NaMITS Advanced Research TechniquesResearch ProposalStudent’s Na
MITS Advanced Research TechniquesResearch ProposalStudent’s Na
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
Assimilation Of Security-Related Policies In U.S. Firms An Empirical Study O...
 
DIRECTIONSRate each statement by how well the behavior describe.docx
DIRECTIONSRate each statement by how well the behavior describe.docxDIRECTIONSRate each statement by how well the behavior describe.docx
DIRECTIONSRate each statement by how well the behavior describe.docx
 
Implementing IT Security Controls
Implementing IT Security ControlsImplementing IT Security Controls
Implementing IT Security Controls
 
A Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System RiskA Practical Approach to Managing Information System Risk
A Practical Approach to Managing Information System Risk
 
IMT500 Foundations Of Information Management.docx
IMT500 Foundations Of Information Management.docxIMT500 Foundations Of Information Management.docx
IMT500 Foundations Of Information Management.docx
 
ISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_IntindoloISSC481_Term_Paper_John_Intindolo
ISSC481_Term_Paper_John_Intindolo
 
Building and implementing a successful information security policy
Building and implementing a successful information security policyBuilding and implementing a successful information security policy
Building and implementing a successful information security policy
 
LD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docxLD7009 Information Assurance And Risk Management.docx
LD7009 Information Assurance And Risk Management.docx
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
 
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDFGT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
GT11_ATT_GuideBk_CyberSecurity_FINAL_V.PDF
 
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docxRunning Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
Running Head CYBERSECURITY FRAMEWORK1CYBERSECURITY FRAMEWORK.docx
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
Risk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdfRisk assessment is the process which - identify hazards, analyzes an.pdf
Risk assessment is the process which - identify hazards, analyzes an.pdf
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael
 
Posting 1 Reply required for belowBusiness costs or risks of p.docx
Posting 1 Reply required for belowBusiness costs or risks of p.docxPosting 1 Reply required for belowBusiness costs or risks of p.docx
Posting 1 Reply required for belowBusiness costs or risks of p.docx
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
 

Último

A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 

Último (20)

A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 

Challenges in implementing effective data security practices

  • 1. CHALLENGES IN IMPLEMENTING EFFECTIVE DATA SECURITY PRACTICES: AN ORGANIZATION’S PERSPECTIVE MICHELLE M. CARANGUIAN ABSTRACT Through the selection and application of appropriate safeguards, data security helps the organization's mission by protecting its physical resources, reputation, employees, and other assets. Unfortunately, this security is sometimes viewed as thwarting the mission of the organization by imposing poorly selected, bothersome security practices on users, managers, and systems. On the contrary, effective security practices do not exist for their own sake – they are put in place to protect important assets and support the overall organizational mission. Security, therefore, is a challenge the organization has to implement alongside with their human force to plan and review policies and procedures to protect their data. The purpose of this study is to consider some of the most challenging aspects of data security practices in an organizational perspective where protecting business assets are critical. The importance of this practices needs to be clearly highlighted so that adequate measures will be implemented, not only enhancing the organization’s daily business procedures and transactions, but also to ensure that the much needed security measures are implemented with an effective level of security competency. These are classified as data security analysis aspects (e.g. assessment on the computer system and personnel), data security policy aspect (e.g. policy violation, revision and implementation), data security management aspect (e.g. physical/desktop security), data security evaluation aspect (e.g. reassessment on the management and evaluation) INTRODUCTION The volume of personal and often sensitive data being collected and shared by organizations today is growing exponentially because of technology advances, lower data storage costs and the rise of the Internet. However, as the amount of data an organization generates and collects has increased, so has the risk the organization faces of losing data and experiencing security breaches. Indeed, many organizations have had their data compromised and have paid steep prices to repair the damage, fines, share-price declines and overall erosion of customer trust. There is no doubt that organizations today are generating more data than ever. In fact, according to ASR (2010), despite the current economic downturn, the volume of digital data generated in 2008 increased 3 percent more than forecast and is expected to double every 18 months. Along with this increase in the volume of data has come a substantial rise in the potential for organizations to experience incidents in which their data is compromised in some way. Data privacy and protection shortcomings can do irreparable harm to companies’ balance sheets, not to mention their brands, credibility and customer trust and relationships Danchev (2003).
  • 2. The purpose of this research is to highlight on the current state of data privacy and protection and to understand how data privacy perceptions and practices of the organization influence data protection practices. CONCEPTUAL FRAMEWORK Previous studies have used data security practices or information security to support the premise that it is a necessity in any computing environment. (e.g., Brock 1998 Davis and Payne 2004, Danchev. 2003), and results further show that data security practices are significantly and positively correlated with data security policies and implementation. Garette (2004) and Puhakainen (2006) imply that effective information security and privacy policies actually enable successful business operation and yet, organizations have typically focused on technical and procedural security measures when implementing their information security solutions. Organizational data privacy utilized the researchers (Garbars 2002; Kadel 2004; Danchev 2003) to investigate the role of staff members involved in the implementation of data security practices. They stressed that within organizations, these people are the employees who use the technology to get their jobs done, serve the needs of customers, and keep the organization running, thus staff should also be considered as one factor in achieving a successful information security. . According to Kadel (2004). Problem arise when organizations encounter difficulties in implementing these practices much. Because of limitations, it is important that organizations identify and employ methods that efficiently achieve the benefits of risk assessment while avoiding costly attempts to develop seemingly precise results that are of questionable reliability. Brock (1998); Davis and Payne (2004), The data security practices guide organizations on the types of controls, objectives and procedures that comprise an effective security program. The practices show what should be done to enhance or measure an existing data security program or to aid in the development of a new program. The practices provide a common ground for determining the security of an organization and build confidence when conducting multi-organizational business. REVIEW OF RELATED LITERATURE This research considers various aspects, possibly not all, of data management that seem to be important for running an organization. It shows the considered aspects and challenges classified as Data Security Analysis and Assessment – (What are we trying to protect, and how are we going to protect it?). Data Security Management - (What are these threats and who are involved in it?). Data Security Policy – (What acts are allowable and what is not?). Data Security Monitoring and Maintenance – (How do we know if the policies and practices are properly implemented and was it effective enough?) DATA SECURITY ANALYSIS AND ASSESSMENT CHALLENGE: What are we trying to protect, and how are we going to protect it? Before drafting the data security policy, a thorough analysis should be conducted for identifying security requirements. HKSAR (2005). Identifying the assets to be protected that is everything that is essential for organizational operation or related to data privacy must be protected. As the importance of different assets may vary in different organizations, assets identification is specific.
  • 3. According to Danchev (2003), In order to be able to conduct a successful analysis, you need to get well acquainted with the ways a company operates and approaches would be identifying what you're trying to protect and whom you're trying to protect it from, define what the potential risks are to any of your Information Asset and consider monitoring the process continually in order to be up to date with the latest security weaknesses. He also suggest possible categories to look at like process, technology and personnel. The basic approaches are: identify what you're trying to protect, look at whom you're trying to protect it from, define what the potential risks are to any of your Information Assets and lastly consider monitoring the process continually in order to be up to date with the latest security weaknesses. He further argues possible list of categories to look and these are first, Processes where policies, procedures and guidelines were part of the organizational operation. Second, Technology where identifying the risks of a potential security problem due to outdated software, infrequent patches and updates to new versions, etc. Also take into account the potential issues with staff installing various file sharing apps, IM (chat) software, entertainment or freeware software coming from unknown and untrustworthy sources. Lastly, Personnel where those who have access to confidential information, sensitive data, those who "own", administer or in any way modify existing databases. DATA SECURITY MANAGEMENT CHALLENGE: What are these threats and who are involved in it? In data security management, it’s very important to recognize its basic, most fundamental assumption that data cannot ever be fully secured. There is always risk, whether it is from a trusted employee who defrauds the system or a fire that destroys critical resources. A task not only to a specific employee only but to the whole team. It requires the involvement of the entire organization —from senior leaders/executives providing the strategic vision and top-level goals and objectives for the organization; to mid-level leaders planning, executing, and managing projects; to individuals on the front lines operating the information systems supporting the organization’s missions/business functions according to NIST (1995). OLA (1992) stressed that when evaluating options for managing computer data, organizations should determine whether the options they are considering follow the best practices of conducting policies, adopting computer policies, and communicating policies to staff who use the computers. Organizations should also consider whether the management options have sufficient technical expertise and provide training and support for users. Finally, they need to assess whether the options provide adequate computer security. However, Danchev (2003) stressed out that after finding out on the company's information assets, organization should now be able to properly manage all the threats posed by each of their resources tru System Access where best practices for password creation, passwords aging, minimum password length, characters to be included while choosing passwords, password maintenance, tips for safeguarding (any) accounting data; the dangers to each of these issues must be explained in the security awareness program; Virus Protection where best practices for malicious code protection, how often the system should be scanned, how often, if not automatically, should Live Update of the software database be done, tips for protection against (any) malicious code(viruses/trojans/worms); Software Installation where it is freeware software forbidden, if allowed, under what conditions, how is software piracy tolerated, are entertainment/games allowed or completely prohibited as well the installation of any other program coming from unknown and untrustworthy sources; Removable Media(CD's, floppy) where
  • 4. "Acceptable Use" measures (perhaps by way of a AUP – Acceptable Use Policy) need to be established, the dangers of potential malicious code entering the company network or any other critical system need to be explained as well; System Backups where the advantage of having backups needs to be explained; who is responsible, and how often should the data be backed up; Maintenance, where the risks of a potential physical security breach need to be briefly explained; Incident Handling where it define what a suspicious event is, to whom it needs to be reported, and what further steps need to be taken. Staff need to understand why some activities are prohibited, what the impact of certain dangers can have on the company, actions they must follow if and when a potential security problem has been suspected or discovered. By involving staff in a Security Awareness Program staff will not just broaden their knowledge on the information security field, but also learn how to act in a secure manner while using any of the company's information assets. The Security Awareness Program is often divided into two parts, one being the 'awareness' section, the other, the 'training'. The purpose of awareness is to provide staff with a better understanding of security risks and the importance of security to the daily business procedures of the company. The training part is aimed at covering a lot of potential security problems in detail, as well as introducing a set of easy to understand (and follow) rules to reduce the risk of possible problems. Thomas (2008) points out that while security program awareness is beneficial in involving the staff, it also has a drawback. For training and awareness, an example of a good practice is to have innovative training and awareness campaigns that focus on the financial crime risks arising from poor data security, as well as the legal and regulatory requirements to protect customer data. Another good practice is to have a clear understanding among staff about why data security is relevant to their work and what they must do to comply with relevant policies and procedures. A simple, memorable and easily-digestible guidance for staff on good data security practice and testing of staff understanding of data security policies on induction and annually thereafter are also acceptable and properly guided practices and lastly, competitions, posters, screensavers and group discussion to raise interest in the subject. On the other hand, poor practice for training and awareness are no training to communicate policies and procedures, managers assuming that employees understand data security risk without any training, data security policies which are very lengthy, complicated and difficult to read, relying on staff signing an annual declaration saying they have read policy documents without any further testing and staff being given no incentive to learn about data security. DATA SECURITY POLICY CHALLENGE: What acts are allowable and what is not? Danchev (2003) have identified various beliefs in Security Policy as a good foundation for the successful implementation of security related projects in the future, this is without a doubt the first measure that must be taken to reduce the risk of unacceptable use of any of the company's information resources. He also stated that the development and the proper implementation of a security policy is highly beneficial as it will not only turn all of your staff into participants in the company's effort to secure its communications but also help reduce the risk of a potential security breach through "human-factor" mistakes.
  • 5. This statement was contradict to HKSAR(2005) wherein before drafting the data security policy, a thorough risk analysis should be conducted for identifying security requirements. First, identify assets to be protected. The assets could be data or systems but the importance of different assets may vary in different organizations. Second, Identify the threats and vulnerabilities followed by assessment of risks. Thomas (2008) suggested that if a firm’s management is committed to ensuring data security, it is likely to have specific written policies and procedures covering the subject. He stated that he’s not convinced by firms that claimed to have detailed data security rules but were unable to produce written policies and procedures. He insists that small firms, with their more- manageable risks, did not always have formal policy documents and used simple guides of ‘Do’s and Don’ts’ as an effective way of setting out expectations and communicating them. However, in a worrying number of cases, firms failed to record policies and procedures at all. In these firms, senior management were effectively relying on the judgment of individual staff – often with little or no understanding of the risks – as their only data security control. This approach was typical of some small firms whose managers appeared to treat data security more as a matter of office administration than as a potentially significant risk that could affect their business, reputation and customers. Based on the findings, the types of effective policies are supplemented, because policy may be written at a broad level, organizations also develop standards, guidelines, and procedures that offer users, managers, and others a clearer approach to implementing policy and meeting organizational goals. Standards, guidelines, and procedures may be disseminated throughout an organization via handbooks, regulations, or manuals. Visibility also aids implementation of policy by helping to ensure policy is fully communicated throughout the organization. Without management support, the policy will become an empty token of management's "commitment" to security. To make the policy consistent, other directives, laws, organizational culture, guidelines, procedures, and organizational mission should be considered. DATA SECURITY MONITORING AND MAINTENANCE CHALLENGE: How do we know if the policies and practices are properly implemented and was it effective enough? Monitoring the effectiveness of the security program can be one of the most challenging aspects of running a security program, but also one of the most important. Organization have assessed the overall risk, created a program plan and security policies. They have given out guidance and trained the individuals in implementing the policy. Now it’s time to see if they have actually increased the security posture of the organization. In large organizations and limited centralized data security staff organizations will have to rely on a combination of self-reporting and hands on reviews. It is important that ongoing monitoring are carried out regularly so that existing procedures can be updated and refined to changes in working conditions and new technologies. However, according to HKSAR (2005), not all data may be of the same level of importance or sensitivity. For instance, information such as promotional leaflets does not need the same level of protection as say payroll data. To maximize resources, organizational data should be prioritized according to its security level, with security effort focused more on the most important data first. It is also vital to assess the locations of all permanent and temporary places for storing company data, and classify their strengths in terms of data protection accordingly. PARADIGM OF THE STUDY
  • 6. Data Security Practices H3 H2 H5 H1 H4 Data Data Data Data Security Security Security Security Policy Monitoring Managemen CONCLUSION This research has been created mainly with the idea of answering the most common questions a manager could ask as far as Data Security is concerned. Its purpose is to explain in a brief, yet effective way why from An organization’s point of view one would want to invest in securing the core Information Assets of the company, and the potential risks attached to cutting the Information Security budget. A lot of businesses still tend to ask the question why they should invest in information security, as sensitive data is backed up every day and in the event of an intrusion, virus outbreak or data corruption, data and business processes can be restored and brought back up in a matter of minutes. Whereas theoretically there is nothing wrong with this mode of thinking and the procedures that are in place do provide a certain degree of security, practice has shown time and time over again that the "classic" security methods such as virus scanner/backup/restore may not be enough to 'hold the fort'. Security is a never ending process that requires constant monitoring, updates, investment, research and implementation of new technologies; not forgetting the most important point: education of staff. Because no matter the amount of money an organization prepared to spend, and no matter the technologies involved, the secret lies within the individual who configures the security systems. REFERENCES Advisen Special Report 2010 Data Security Issues Escalate as Risk Management Evolves Swett and Crawford Ajibuwa, Festus O. 2002. Data and Information Security in Modern Day Businesses Atlantic International University Blakely, Bob; Mcdermott, Ellen; Geer, Dan. 2001 Information Security is Information Risk Management. ACM Press. Brock, Jack L., 1998, Data Security Risk Assessment of Leading Organiztion. United States General Accounting Office. Cresson, Charles 2008. The Importance of Defining and Documenting Information Security Roles and Responsibilities Information Shield Publications Danchev, Dancho 2003. Building and Implementing a Successful Information Security Policy. Windows Security Davis, Brian; Payne, Shirley. 2004 Information Technology risk Management Program
  • 7. University of Virginia Garbars, Kurt 2002. Implementing an Effective IT Security Program SANS Institute InfoSec Reading Garrette, Chris 2004. Developing a Security-Awareness Culture - Improving Security Decision Making SANS Institute InfoSec Reading Room Gerschefske, Mark. 2002. IT Security Risk Management. Verizon Business Goh, Rita 2003. Information Security: The Importance of the Human Element Preston University Hunter, Bradley R. 2007. Data Loss Prevention Best Practices: Managing Data in the Enterprise.Ironport Systems. Kadel, Lee A 2004.; Designing and Implementing an Effective Information Security Program: Protecting the Data Assets of Individuals, Small and Large Businesses SANS Institute InfoSec Reading Room Kent, Karen; Souppaya, Muruggiah. 2006. Guide to Computer Security Log Management. National Institute of Standard Technology Lineman, David J. 2008. Enabling Business with Information Security and Privacy Policies Information Shield Publications Martens, Benedikt,; Teuteberg, Frank. 2009 Why Risk Management Matters In It Outsourcing – A Systematic Literature Review And Elements Of A Research Agenda European Conference on Information Systems Moteff, John. 2004, Computer Security: A Summary of Selected federal laws, executive orders and presidential Directives. Congressional Research Directives. National Institute of Standards and Technology. 1995. An Introduction to Computer Security: A NIST Handbook. Special Publication 800-12. Puhakainen, Petri. 2006. A Design Theory For Information Security Awareness Oulu University Press Soohoo, Kevin j., 2000. How much is Enough? A Risk Management Approach to Computer Security. Consortium for Research on Information Security and Policy Stoneburner, G., Goguen, A., & Feringa, A. (2002, July). Risk management guide for information technology systems. National Institute of Standards Technology. Thomas, Richard. 2008; Data Security in Financial Services: Firm’s control to prevent data loss by their employees and third party suppliers. Financial Crime and Intelligence Research Division