Challenges in implementing effective data security practicesDocument Transcript
CHALLENGES IN IMPLEMENTING EFFECTIVE DATA SECURITY PRACTICES: AN ORGANIZATION’S PERSPECTIVE MICHELLE M. CARANGUIANABSTRACTThrough the selection and application of appropriate safeguards, data security helps theorganizations mission by protecting its physical resources, reputation, employees, and other assets.Unfortunately, this security is sometimes viewed as thwarting the mission of the organization byimposing poorly selected, bothersome security practices on users, managers, and systems. On thecontrary, effective security practices do not exist for their own sake – they are put in place to protectimportant assets and support the overall organizational mission. Security, therefore, is a challengethe organization has to implement alongside with their human force to plan and review policies andprocedures to protect their data.The purpose of this study is to consider some of the most challenging aspects of data securitypractices in an organizational perspective where protecting business assets are critical. Theimportance of this practices needs to be clearly highlighted so that adequate measures will beimplemented, not only enhancing the organization’s daily business procedures and transactions, butalso to ensure that the much needed security measures are implemented with an effective level ofsecurity competency. These are classified as data security analysis aspects (e.g. assessment on thecomputer system and personnel), data security policy aspect (e.g. policy violation, revision andimplementation), data security management aspect (e.g. physical/desktop security), data securityevaluation aspect (e.g. reassessment on the management and evaluation)INTRODUCTIONThe volume of personal and often sensitive data being collected and shared by organizations today isgrowing exponentially because of technology advances, lower data storage costs and the rise of theInternet. However, as the amount of data an organization generates and collects has increased, sohas the risk the organization faces of losing data and experiencing security breaches. Indeed, manyorganizations have had their data compromised and have paid steep prices to repair the damage,fines, share-price declines and overall erosion of customer trust. There is no doubt thatorganizations today are generating more data than ever. In fact, according to ASR (2010), despite thecurrent economic downturn, the volume of digital data generated in 2008 increased 3 percent morethan forecast and is expected to double every 18 months.Along with this increase in the volume of data has come a substantial rise in the potential fororganizations to experience incidents in which their data is compromised in some way. Data privacyand protection shortcomings can do irreparable harm to companies’ balance sheets, not to mentiontheir brands, credibility and customer trust and relationships Danchev (2003).
The purpose of this research is to highlight on the current state of data privacy and protection andto understand how data privacy perceptions and practices of the organization influence dataprotection practices.CONCEPTUAL FRAMEWORKPrevious studies have used data security practices or information security to support the premisethat it is a necessity in any computing environment. (e.g., Brock 1998 Davis and Payne 2004,Danchev. 2003), and results further show that data security practices are significantly and positivelycorrelated with data security policies and implementation. Garette (2004) and Puhakainen (2006)imply that effective information security and privacy policies actually enable successful businessoperation and yet, organizations have typically focused on technical and procedural securitymeasures when implementing their information security solutions. Organizational data privacyutilized the researchers (Garbars 2002; Kadel 2004; Danchev 2003) to investigate the role of staffmembers involved in the implementation of data security practices. They stressed that withinorganizations, these people are the employees who use the technology to get their jobs done, servethe needs of customers, and keep the organization running, thus staff should also be considered asone factor in achieving a successful information security..According to Kadel (2004). Problem arise when organizations encounter difficulties inimplementing these practices much. Because of limitations, it is important that organizations identifyand employ methods that efficiently achieve the benefits of risk assessment while avoiding costlyattempts to develop seemingly precise results that are of questionable reliability. Brock (1998); Davisand Payne (2004), The data security practices guide organizations on the types of controls, objectivesand procedures that comprise an effective security program. The practices show what should bedone to enhance or measure an existing data security program or to aid in the development of a newprogram. The practices provide a common ground for determining the security of an organizationand build confidence when conducting multi-organizational business.REVIEW OF RELATED LITERATUREThis research considers various aspects, possibly not all, of data management that seem to beimportant for running an organization. It shows the considered aspects and challenges classified asData Security Analysis and Assessment – (What are we trying to protect, and how are we going toprotect it?). Data Security Management - (What are these threats and who are involved in it?). DataSecurity Policy – (What acts are allowable and what is not?). Data Security Monitoring andMaintenance – (How do we know if the policies and practices are properly implemented and was iteffective enough?)DATA SECURITY ANALYSIS AND ASSESSMENTCHALLENGE: What are we trying to protect, and how are we going to protect it?Before drafting the data security policy, a thorough analysis should be conducted for identifyingsecurity requirements. HKSAR (2005). Identifying the assets to be protected that is everything thatis essential for organizational operation or related to data privacy must be protected. As theimportance of different assets may vary in different organizations, assets identification is specific.
According to Danchev (2003), In order to be able to conduct a successful analysis, you need to getwell acquainted with the ways a company operates and approaches would be identifying what youretrying to protect and whom youre trying to protect it from, define what the potential risks are to anyof your Information Asset and consider monitoring the process continually in order to be up to datewith the latest security weaknesses. He also suggest possible categories to look at like process,technology and personnel. The basic approaches are: identify what youre trying to protect, look atwhom youre trying to protect it from, define what the potential risks are to any of your InformationAssets and lastly consider monitoring the process continually in order to be up to date with the latestsecurity weaknesses. He further argues possible list of categories to look and these are first,Processes where policies, procedures and guidelines were part of the organizational operation.Second, Technology where identifying the risks of a potential security problem due to outdatedsoftware, infrequent patches and updates to new versions, etc. Also take into account the potentialissues with staff installing various file sharing apps, IM (chat) software, entertainment or freewaresoftware coming from unknown and untrustworthy sources. Lastly, Personnel where those whohave access to confidential information, sensitive data, those who "own", administer or in any waymodify existing databases.DATA SECURITY MANAGEMENTCHALLENGE: What are these threats and who are involved in it?In data security management, it’s very important to recognize its basic, most fundamentalassumption that data cannot ever be fully secured. There is always risk, whether it is from a trustedemployee who defrauds the system or a fire that destroys critical resources. A task not only to aspecific employee only but to the whole team. It requires the involvement of the entire organization—from senior leaders/executives providing the strategic vision and top-level goals and objectivesfor the organization; to mid-level leaders planning, executing, and managing projects; to individualson the front lines operating the information systems supporting the organization’smissions/business functions according to NIST (1995).OLA (1992) stressed that when evaluating options for managing computer data, organizationsshould determine whether the options they are considering follow the best practices of conductingpolicies, adopting computer policies, and communicating policies to staff who use the computers.Organizations should also consider whether the management options have sufficient technicalexpertise and provide training and support for users. Finally, they need to assess whether the optionsprovide adequate computer security. However, Danchev (2003) stressed out that after finding out onthe companys information assets, organization should now be able to properly manage all thethreats posed by each of their resources tru System Access where best practices for passwordcreation, passwords aging, minimum password length, characters to be included while choosingpasswords, password maintenance, tips for safeguarding (any) accounting data; the dangers to eachof these issues must be explained in the security awareness program;Virus Protection where best practices for malicious code protection, how often the system should bescanned, how often, if not automatically, should Live Update of the software database be done, tipsfor protection against (any) malicious code(viruses/trojans/worms); Software Installation where it isfreeware software forbidden, if allowed, under what conditions, how is software piracy tolerated, areentertainment/games allowed or completely prohibited as well the installation of any other programcoming from unknown and untrustworthy sources; Removable Media(CDs, floppy) where
"Acceptable Use" measures (perhaps by way of a AUP – Acceptable Use Policy) need to beestablished, the dangers of potential malicious code entering the company network or any othercritical system need to be explained as well; System Backups where the advantage of having backupsneeds to be explained; who is responsible, and how often should the data be backed up;Maintenance, where the risks of a potential physical security breach need to be briefly explained;Incident Handling where it define what a suspicious event is, to whom it needs to be reported, andwhat further steps need to be taken.Staff need to understand why some activities are prohibited, what the impact of certain dangers canhave on the company, actions they must follow if and when a potential security problem has beensuspected or discovered. By involving staff in a Security Awareness Program staff will not justbroaden their knowledge on the information security field, but also learn how to act in a securemanner while using any of the companys information assets. The Security Awareness Program isoften divided into two parts, one being the awareness section, the other, the training. The purposeof awareness is to provide staff with a better understanding of security risks and the importance ofsecurity to the daily business procedures of the company. The training part is aimed at covering a lotof potential security problems in detail, as well as introducing a set of easy to understand (andfollow) rules to reduce the risk of possible problems.Thomas (2008) points out that while security program awareness is beneficial in involving the staff,it also has a drawback. For training and awareness, an example of a good practice is to haveinnovative training and awareness campaigns that focus on the financial crime risks arising frompoor data security, as well as the legal and regulatory requirements to protect customer data.Another good practice is to have a clear understanding among staff about why data security isrelevant to their work and what they must do to comply with relevant policies and procedures. Asimple, memorable and easily-digestible guidance for staff on good data security practice and testingof staff understanding of data security policies on induction and annually thereafter are alsoacceptable and properly guided practices and lastly, competitions, posters, screensavers and groupdiscussion to raise interest in the subject. On the other hand, poor practice for training andawareness are no training to communicate policies and procedures, managers assuming thatemployees understand data security risk without any training, data security policies which are verylengthy, complicated and difficult to read, relying on staff signing an annual declaration saying theyhave read policy documents without any further testing and staff being given no incentive to learnabout data security.DATA SECURITY POLICYCHALLENGE: What acts are allowable and what is not?Danchev (2003) have identified various beliefs in Security Policy as a good foundation for thesuccessful implementation of security related projects in the future, this is without a doubt the firstmeasure that must be taken to reduce the risk of unacceptable use of any of the companysinformation resources. He also stated that the development and the proper implementation of asecurity policy is highly beneficial as it will not only turn all of your staff into participants in thecompanys effort to secure its communications but also help reduce the risk of a potential securitybreach through "human-factor" mistakes.
This statement was contradict to HKSAR(2005) wherein before drafting the data security policy, athorough risk analysis should be conducted for identifying security requirements. First, identifyassets to be protected. The assets could be data or systems but the importance of different assetsmay vary in different organizations. Second, Identify the threats and vulnerabilities followed byassessment of risks. Thomas (2008) suggested that if a firm’s management is committed to ensuringdata security, it is likely to have specific written policies and procedures covering the subject. Hestated that he’s not convinced by firms that claimed to have detailed data security rules but wereunable to produce written policies and procedures. He insists that small firms, with their more-manageable risks, did not always have formal policy documents and used simple guides of ‘Do’s andDon’ts’ as an effective way of setting out expectations and communicating them. However, in aworrying number of cases, firms failed to record policies and procedures at all. In these firms, seniormanagement were effectively relying on the judgment of individual staff – often with little or nounderstanding of the risks – as their only data security control. This approach was typical of somesmall firms whose managers appeared to treat data security more as a matter of office administrationthan as a potentially significant risk that could affect their business, reputation and customers. Basedon the findings, the types of effective policies are supplemented, because policy may be written at abroad level, organizations also develop standards, guidelines, and procedures that offer users,managers, and others a clearer approach to implementing policy and meeting organizational goals.Standards, guidelines, and procedures may be disseminated throughout an organization viahandbooks, regulations, or manuals. Visibility also aids implementation of policy by helping toensure policy is fully communicated throughout the organization. Without management support, thepolicy will become an empty token of managements "commitment" to security. To make the policyconsistent, other directives, laws, organizational culture, guidelines, procedures, and organizationalmission should be considered.DATA SECURITY MONITORING AND MAINTENANCECHALLENGE: How do we know if the policies and practices are properly implemented and was iteffective enough?Monitoring the effectiveness of the security program can be one of the most challenging aspects ofrunning a security program, but also one of the most important. Organization have assessed theoverall risk, created a program plan and security policies. They have given out guidance and trainedthe individuals in implementing the policy. Now it’s time to see if they have actually increased thesecurity posture of the organization. In large organizations and limited centralized data security stafforganizations will have to rely on a combination of self-reporting and hands on reviews. It isimportant that ongoing monitoring are carried out regularly so that existing procedures can beupdated and refined to changes in working conditions and new technologies. However, according toHKSAR (2005), not all data may be of the same level of importance or sensitivity. For instance,information such as promotional leaflets does not need the same level of protection as say payrolldata. To maximize resources, organizational data should be prioritized according to its security level,with security effort focused more on the most important data first. It is also vital to assess thelocations of all permanent and temporary places for storing company data, and classify theirstrengths in terms of data protection accordingly.PARADIGM OF THE STUDY
Data Security Practices H3 H2 H5 H1 H4 Data Data Data Data Security Security Security Security Policy Monitoring ManagemenCONCLUSIONThis research has been created mainly with the idea of answering the most common questions amanager could ask as far as Data Security is concerned. Its purpose is to explain in a brief, yeteffective way why fromAn organization’s point of view one would want to invest in securing the core Information Assets ofthe company, and the potential risks attached to cutting the Information Security budget. A lot ofbusinesses still tend to ask the question why they should invest in information security, as sensitivedata is backed up every day and in the event of an intrusion, virus outbreak or data corruption, dataand business processes can be restored and brought back up in a matter of minutes. Whereastheoretically there is nothing wrong with this mode of thinking and the procedures that are in placedo provide a certain degree of security, practice has shown time and time over again that the"classic" security methods such as virus scanner/backup/restore may not be enough to hold thefort. Security is a never ending process that requires constant monitoring, updates, investment,research and implementation of new technologies; not forgetting the most important point:education of staff. Because no matter the amount of money an organization prepared to spend, andno matter the technologies involved, the secret lies within the individual who configures the securitysystems.REFERENCESAdvisen Special Report 2010 Data Security Issues Escalate as Risk Management Evolves Swett and CrawfordAjibuwa, Festus O. 2002. Data and Information Security in Modern Day Businesses Atlantic International UniversityBlakely, Bob; Mcdermott, Ellen; Geer, Dan. 2001 Information Security is Information Risk Management. ACM Press.Brock, Jack L., 1998, Data Security Risk Assessment of Leading Organiztion. United States General Accounting Office.Cresson, Charles 2008. The Importance of Defining and Documenting Information Security Roles and Responsibilities Information Shield PublicationsDanchev, Dancho 2003. Building and Implementing a Successful Information Security Policy. Windows SecurityDavis, Brian; Payne, Shirley. 2004 Information Technology risk Management Program
University of VirginiaGarbars, Kurt 2002. Implementing an Effective IT Security Program SANS Institute InfoSec ReadingGarrette, Chris 2004. Developing a Security-Awareness Culture - Improving Security Decision Making SANS Institute InfoSec Reading RoomGerschefske, Mark. 2002. IT Security Risk Management. Verizon BusinessGoh, Rita 2003. Information Security: The Importance of the Human Element Preston UniversityHunter, Bradley R. 2007. Data Loss Prevention Best Practices: Managing Data in the Enterprise.Ironport Systems.Kadel, Lee A 2004.; Designing and Implementing an Effective Information Security Program: Protecting the Data Assets of Individuals, Small and Large Businesses SANS Institute InfoSec Reading Room Kent, Karen; Souppaya, Muruggiah. 2006. Guide to Computer Security Log Management. National Institute of Standard Technology Lineman, David J. 2008. Enabling Business with Information Security and Privacy Policies Information Shield Publications Martens, Benedikt,; Teuteberg, Frank. 2009 Why Risk Management Matters In It Outsourcing – A Systematic Literature Review And Elements Of A Research Agenda European Conference on Information Systems Moteff, John. 2004, Computer Security: A Summary of Selected federal laws, executive orders and presidential Directives. Congressional Research Directives. National Institute of Standards and Technology. 1995. An Introduction to Computer Security: A NIST Handbook. Special Publication 800-12. Puhakainen, Petri. 2006. A Design Theory For Information Security Awareness Oulu University Press Soohoo, Kevin j., 2000. How much is Enough? A Risk Management Approach to Computer Security. Consortium for Research on Information Security and PolicyStoneburner, G., Goguen, A., & Feringa, A. (2002, July). Risk management guide for information technology systems. National Institute of Standards Technology.Thomas, Richard. 2008; Data Security in Financial Services: Firm’s control to prevent data loss by their employees and third party suppliers. Financial Crime and Intelligence Research Division