DATA SECURITY
Abstract
Data Security is the act of protecting data from being corrupted
and accessed by unauthorized persons. Data security is purposed to ensure
privacy while protecting personal or enterprise data. Information from several
organizations is known to suffer from unauthorized entry and access to
sensitive information; steps made to alleviate this problem have so far not
been successful as the practice has been advancing with technology. This
article focuses on the main objectives involved while protecting data and the
scope of the problem in the present world. It also attempts to look at the
varied methods employed to ensure that the data is secure from any external and
internal intrusion. Finally, a brief look at all the aspects involved aspects
of data security.
Introduction
Data
security is increasingly becoming important due to the ever changing
technology. Keeping private data has confidential is the main reason why
various data security systems have been developed. There are various types of
control systems for instance those that are meant to control the flow controls
systems, access control systems, inference control and cryptography. All the
above control systems have areas where they perform best and in those where
they cannot work in. the increasing frequency of reports related to hitches in
private data security for instance political affiliations of an individual,
social security numbers, medical records and even the educational records. Data
security is meant to control any cases of unauthorized access to the data about
any individual (Tehan, 2008). The paper will deal with data security; its use
in governance and in controlling data theft. The paper also discusses the
differences and similarities between the security requirements in public and
private sector organizations. The paper concludes by giving a best practice
standard for data security.
Types of security controls
There
are four types of data security controls. The first one is control of access to
the data by inhibiting the ability of any unauthorized person from making
changes, reading or even trying to discard data that may be stored on the
system. It controls changes to data that
may be as a result of malice, for personal gain or other reason which may be
motivating the data thief. The access control systems are important since they
prevent the corruption and disclosing of information that may be classified.
However, for this system to work well there will be need to satisfy some
conditions. The conditions include adequate user authentication and
identification systems, barrier to access by all non authorized persons through
the use of encryption and finally, protection of classified information. The
most common access control measure is transaction processing system (TPS)
(Denning, & Denning, 1979).
The
second type is flow control which restricts the sending of data and reception
of data only between computers which have the same security privilege. The flow
control system further specifies which channels the information will follow
until it gets to its destination. This therefore means that the system can not
transmit confidential information from it to another person who is not authorized
to receive the information. It is very helpful for instance in the financial
industry where the institution is in constant communication with customers thus
will prevent the transmission of sensitive bank information to the customers.
Its important to note that the flow controls can be reinforced with access
controls. When the two work together, reading of data will only be possible if
the segment of the system that tries to read the data is equal to or higher
than the segment where it is reading from. Thus the system will not allow for
the movement of data from a higher point to a lower point (Denning, D. E &
Denning P. J., 1979).
Inference
control is another type of data control which involves the summarizing of all
the information about the data that was stored in the system. Inference method
is used to make the cost of snooping for information exceptionally high for the
cyber criminals since they will have to spend much of their time and energy
rebuilding the information that had been summarized. However, when the data
stored in the system is about one individual, the hacker can be able to
infringe on the privacy of the individual if they manage to reconstruct the
summaries. Also, when the cyber criminals manage to crack the values to the
confidential data from the summaries by using the information that they might
have gotten previously from other sources, they shall have achieved their goal
of obtaining personal information about others (Denning, D. E & Denning P.
J., 1979).
Finally,
cryptographic controls which may be used when all the other controls above
fail. Since all the above three can not be used to guard against disclosure of
information accidentally or through malice. Cryptography helps even if a person
has access to the passwords to all the data. Encryption is normally used to
protect the data whose security cannot be guaranteed even through the use of
the first three controls. The encryption uses keys which must be entered if the
information is to be accessed. The key
that the encoder uses ca also be the same key that the decoder uses incase of
symmetric encryption. The point to note is that keys should be changed
regularly to guard against illegal access to data (Denning, D. E & Denning
P. J., 1979).
Data security breaches
Many
United States government agencies have reported having systems that were prone
to attacks by cyber criminals due to the weak data security systems. The
weaknesses were noted in the areas of access to data that are stored in the
federal systems. Data security breaches have also been not only as a result of
highly knowledgeable hackers and cyber criminals but also due to carelessness
among the staff that are entrusted with the data. A case in point is the high
rate of personal data from the US federal Bureau of Investigation (FBI), which
in barely four years has lost a record number of laptop computers (160) with
some bearing classified security information about thee country (Garrison &
Ncube, 2011).
Due
to the sensitivity of the data that the federal government keeps, it has been
at the center of attacks. Also, the nature of the access to the data by the
government also exposes them to risk since the workers in the government
department often have access to the information even from remote locations
thereby creating a higher probability of the information to be circumvented.
Another area that received increased levels of attack from the cyber criminals
was the institutions of higher learning. According to the Chronicle of Higher Education,
the above scenario was made possible through the fact that security features
such as passwords are not properly engraved into the systems. Also, the
universities being the highways of information exchange have not embraced to
the latter the data security measures. This has made them to be at the apex of
the target of fraudsters (Shedden, cheepers, Smith & Ahmad, A. 2011).
Moreover,
data security breaches have also been noted in financial institutions leading
to losses either to the banks or their customers. Hackers take advantage of the
lax security control measures to break into the computer systems where they
hope to get sensitive information about the operation of the financial
institutions, their customers and any other sensitive information that may appeal
to them (Garrison & Ncube, 2011).
Data security in governance
Due to the increased use of
information management systems in the course of carrying out business by
organizations, security of the data has also been gaining currency at the same
pace. Many organization however can not attach value to the security situations
that they face in their organization making it so hard for those in the IT
department to convince managers to avail funds to implement data security
measures. Data security for governance involves such issues as accountability,
interests of the stakeholders, logistics, finance, fair play and ethics.
Security systems are therefore necessary to protect the organization from
threats and actual attacks to their information systems. Many organizations are
implementing Information security management systems (ISMS) aimed at helping
the organization to maintain the integrity of their data and also to avoid
losses that may result from any losses of data (Gillies, 2011).
ISMS
is used in business organizations to manage information security so as to
reduce the potential risks that the information may e faced with while keeping
in mind the goals of the business and their commitment to their customers. For
the ISMS system to work without any problems, the design process must be well
thought and be able to take into consideration all relevant factors. The first
important issue to consider is the terminology that the system uses so that
there can be no confusion during the use of the system. Also, issues of
authorization and the environment which the system is going to operate in must
also be taken into account. The actual building of the system starts with a
risk analysis of the potential threats to the organization and how the threats
can be controlled. The risk analysis will be followed by specifications of the
roles that the system will play, policy framework through which it will
operate, standards, procedures and guidelines. When the system is up and
running, it should be monitored to guard against it being obsolete thereby
creating potential security loopholes in the organization (Gillies, 2011).
The
ISMS in the company should help the organization to establish business
continuity, gain competitive advantage, and also act as an image polisher
especially for those organizations that have had past data security lapses.
Good working systems also contribute towards increased profitability in the
organization and compliance with the laws that rare set (Gillies, 2011).
How to deal with data theft
Data
theft involves the illegal acquisition of data from an individual or even an
organization. The theft can involve classified company information, data
pertaining to a person’s personal information such as credit card numbers a,
driving license number and even the social security number in some instances.
Some perpetrators of data theft scams engage in the practice so that they can
sell the information to other companies or individuals. First, detecting thefts
of information loss, mostly in internet based systems is hard but the PR
department o a company must be vigilant to watch out for any adverts calling on
people to purchase any data. Also, feedback mechanisms should be clear so that
any cases of theft can be reported promptly (Geeta, 2011).
Data
theft is very costly to the company for instance through law suits by the
customers whose data has been stolen. Also, the customers’ information is very
valuable to both the firm’s competitors and marketers. Lastly, the data that is
lost may have a negative influence on the brand name of the company. Data theft
can be controlled through the use proper security measures in the
administration of the databases where the information is stored. First, the
firm should have software that has the capacity to encrypt and decrypt data
depending on what the authorized user wants to accomplish. Although the above
activity is expensive, it is worth investing in (Hugl, 1991).
Data
theft can be dealt with through the policy on data leakage prevention (DLP).
The companies adopt these controls so that they can protect the private data
about the individuals whom the company deals with. The policy will make the organization
or any other person who is transferring the data about the nature of the data
that they are transmitting. Under the policy, companies should protect the data
of their clients which may be confidential or restricted to avoid instances of
loss of confidential data. The company’s DLP technology is expected to scan for
data about the clients for instance credit card details, email addresses, names
and attach the company’s confidential string to them. DLP will then in any case
of unauthorized access of the data alert the user of the system. The access to
the DLP is also restricted so that the identities of the people whose data is
kept in the system can be maintained (Geeta, 2011).
Data security requirements
Recent surveys have indicated that
there is a significant difference between the information security approaches
employed by private organizations and those employed by the public
organizations. The public organizations are getting concerned on how they can
increase the security of the connections and communications between the
different organizations of the government (Harnesk & Lindstrom, 2011). On
the other hand, the private sector is more concerned with profit making and
thus the only information security needs they attend to are those that will
directly affect the profitability margin of the firm. Also, the public sector
information security systems are increasingly being built to be able to
circumvent any threat that may be aimed at the myriad of remote locations that
the work stations of the government agencies are located while that of the
private organization just involves the securing of the data that the company
has.
In
addition to the above, the data security of a public organization is also more
complex as the people who are authorized to access the main system are many and
the input comes from different sources while the private organizations data may
be entered by just some few individuals. Also, the public is getting more
concerned with the protection of data for instance through encryption to guard
against the increasing cases of equipment such as laptops and flash disks
getting lost. The private sector will also need o secure their data due to
losses but the intensities are much lower. Also to be noted is the high
sensitivity of most public sector data, while that of the private sector is not
as sensitive, thereby calling for different levels of data protection
mechanism. The public sector due to the high recognition of the risks that the
loss of data poses to them, have programs that issue workers with laptop
computers with secure connections, while on the other hand, the private sectors
still allow employees to carry their unsecured laptops and work from them
(Harnesk& Lindstrom, 2011).
However,
the development and increasing level of use of such new technologies such as
flash disks is a cause for the rethinking of strategies of protecting data both
in the private and the public sectors. The rise in technology has put almost
similar demands on both the public and private sector organizations. Both the
private and public sectors also need to implement information control measures
that will not hinder the productivity of the organization (Abbas, Magnusson,
Yngstrom & Hemani, 2011).
Data theft example
The
data leak from the Vodafone databases in April 2010 led to a massive loss of
customer data. The customers lost such personal information such as names,
their addresses, all their call records, credit card details of the customers
and also their driver license numbers. The data that was stolen from the
internal computers of the company could have been possibly used to benefit
their competitors. If this was done, it would have led to serious loss of
competitive advantage for the firm. Also, the firm lost a lot of reputation as
the customers do not hold it in the high regard that they used to hold it in.
finally, the data could also be used to commit crimes with the details of the
customers. The loss of data brought to the fore the question as to whether
Vodafone had the necessary systems, procedures for risk management and policies
regarding the prevention of any loss of the private data of the customers.
Although Vodafone insisted that they had all the systems in place and that the
case was a secluded accident, this paper will go ahead to discuss the best
practice standard for data security (Vodafone Data Leaks, 2011).
Best practice standard for data
security
Since
Vodafone were involved in the storage of data from customers cards which were
used in billing the, they should have complied with PCI Data Security
Standard. The standards requires that
the companies which are engaged in the storage, processing or transmission of
cardholders data, should maintain a system that is so secure as to protect the
information of the cardholders. Also, the companies should have a system that
monitors their levels of vulnerability to any attacks so that they can boost
their systems before the actual loss occurs. Thirdly, the organization should
also maintain a secure system and all the payment applications should also be
secured and the access to the data should be controlled by either the use of
access control measures i.e. encryption or a combination of the methods discussed
earlier in the paper. Moreover, the system should be reviewed regularly to
ascertain whether it is working according to the specifications. Finally, the
standard requires all those who are involved in handling card data to maintain
a policy regarding information for instance on who can access the information,
what they can do with the information (Tsohou, Kokolakis, Lambrinoudakis &
Gritzalis, 2010).
Conclusion
Data
security should be at the center of policy of any organization or body that is
involved in the handling of any data relating to any person other than
themselves. The increased data security threats coupled with the ever changing
methods being used by the hackers is a constant challenge to many
organizations. However, necessity is the mother of invention and thus all
organizations need to establish controls that will help them to completely cut
off any potential risks to their businesses. The policies that are in place
should be implemented by organizations if they want to still maintain their
competitive advantages especially for those who are involved in business with
others, loss of customers trust and charges in the form of settlement claims
whenever the privacy or data pertaining to individuals is lost (Sun, Ahluwalia
& Koong, 2011).
References
Abbas,
H.; Magnusson, C.; Yngstrom, L. & Hemani, A. (2011) "Addressing
dynamic issues in
Information
security management", Information
Management & Computer Security.
19(1):
5 - 24.
Denning,
D.E. & Denning, P.J. (1979). "Data Security", Computing Surveys. 11(3): 227-249.
Garrison,
C. P. & Ncube, M. (2011). "A Longitudinal Analysis of Data
Breaches", Information
Management & Computer Security.
19(4): 1-34.
Geeta,
D. V. (2011) "Online identity theft – an Indian perspective", Journal of Financial Crime.
18(3):
235 - 246.
Gillies,
A. (2011) "Improving the quality of information security management
systems with
ISO27000",
The TQM Journal. 23(4) 367 - 376.
Harnesk,
D. & Lindström, J. (2011). "Shaping Security Behavior through
Discipline and Agility:
Implications
for Information Security Management", Information
Management &
Computer Security.
19(4): 1-24.
Hugl,
U. (1991). "Reviewing person's value of privacy of online social
networking", Internet
Research.
21(4): 384 - 407.
Shedden,
P.; Scheepers, R.; Smith, W. & Ahmad, A. (2011) "Incorporating a
knowledge
Perspective
into security risk assessments", VINE.
41(2): 152 - 166.
Sun,
J.; Ahluwalia, P. & Koong, K. S. (2011) "The more secure the better? A
study of
Information
security readiness", Industrial
Management & Data Systems. 111(4): 570 –
588.
Tehan,
R. (2008). Data Security Breaches:
Context and Incident Summaries. Nova Science
Publishers.
Tsohou,
A.; Kokolakis, S.; Lambrinoudakis, C. & Gritzalis, S. (2010) "A
security standards'
Framework
to facilitate best practices' awareness and conformity", Information
Management & Computer Security.
18(5): 350 - 365.
Vodafone
Data Leaks Proves Privacy Laws Are Weak (Jan 10, 2011). Retrieved on 19/09/2011
From
http://www.cyber-security-tips.com/2011/01/vodafone-data-leaks-proves-privacy-
Laws-are-weak/
No comments:
Post a Comment