Thursday, March 21, 2013

DATA SECURITY


DATA SECURITY
Abstract
Data Security is the act of protecting data from being corrupted and accessed by unauthorized persons. Data security is purposed to ensure privacy while protecting personal or enterprise data. Information from several organizations is known to suffer from unauthorized entry and access to sensitive information; steps made to alleviate this problem have so far not been successful as the practice has been advancing with technology. This article focuses on the main objectives involved while protecting data and the scope of the problem in the present world. It also attempts to look at the varied methods employed to ensure that the data is secure from any external and internal intrusion. Finally, a brief look at all the aspects involved aspects of data security.










Introduction
Data security is increasingly becoming important due to the ever changing technology. Keeping private data has confidential is the main reason why various data security systems have been developed. There are various types of control systems for instance those that are meant to control the flow controls systems, access control systems, inference control and cryptography. All the above control systems have areas where they perform best and in those where they cannot work in. the increasing frequency of reports related to hitches in private data security for instance political affiliations of an individual, social security numbers, medical records and even the educational records. Data security is meant to control any cases of unauthorized access to the data about any individual (Tehan, 2008). The paper will deal with data security; its use in governance and in controlling data theft. The paper also discusses the differences and similarities between the security requirements in public and private sector organizations. The paper concludes by giving a best practice standard for data security.
Types of security controls
There are four types of data security controls. The first one is control of access to the data by inhibiting the ability of any unauthorized person from making changes, reading or even trying to discard data that may be stored on the system.  It controls changes to data that may be as a result of malice, for personal gain or other reason which may be motivating the data thief. The access control systems are important since they prevent the corruption and disclosing of information that may be classified. However, for this system to work well there will be need to satisfy some conditions. The conditions include adequate user authentication and identification systems, barrier to access by all non authorized persons through the use of encryption and finally, protection of classified information. The most common access control measure is transaction processing system (TPS) (Denning, & Denning, 1979).
The second type is flow control which restricts the sending of data and reception of data only between computers which have the same security privilege. The flow control system further specifies which channels the information will follow until it gets to its destination. This therefore means that the system can not transmit confidential information from it to another person who is not authorized to receive the information. It is very helpful for instance in the financial industry where the institution is in constant communication with customers thus will prevent the transmission of sensitive bank information to the customers. Its important to note that the flow controls can be reinforced with access controls. When the two work together, reading of data will only be possible if the segment of the system that tries to read the data is equal to or higher than the segment where it is reading from. Thus the system will not allow for the movement of data from a higher point to a lower point (Denning, D. E & Denning P. J., 1979).
Inference control is another type of data control which involves the summarizing of all the information about the data that was stored in the system. Inference method is used to make the cost of snooping for information exceptionally high for the cyber criminals since they will have to spend much of their time and energy rebuilding the information that had been summarized. However, when the data stored in the system is about one individual, the hacker can be able to infringe on the privacy of the individual if they manage to reconstruct the summaries. Also, when the cyber criminals manage to crack the values to the confidential data from the summaries by using the information that they might have gotten previously from other sources, they shall have achieved their goal of obtaining personal information about others (Denning, D. E & Denning P. J., 1979).
Finally, cryptographic controls which may be used when all the other controls above fail. Since all the above three can not be used to guard against disclosure of information accidentally or through malice. Cryptography helps even if a person has access to the passwords to all the data. Encryption is normally used to protect the data whose security cannot be guaranteed even through the use of the first three controls. The encryption uses keys which must be entered if the information is to be accessed.  The key that the encoder uses ca also be the same key that the decoder uses incase of symmetric encryption. The point to note is that keys should be changed regularly to guard against illegal access to data (Denning, D. E & Denning P. J., 1979).
Data security breaches
Many United States government agencies have reported having systems that were prone to attacks by cyber criminals due to the weak data security systems. The weaknesses were noted in the areas of access to data that are stored in the federal systems. Data security breaches have also been not only as a result of highly knowledgeable hackers and cyber criminals but also due to carelessness among the staff that are entrusted with the data. A case in point is the high rate of personal data from the US federal Bureau of Investigation (FBI), which in barely four years has lost a record number of laptop computers (160) with some bearing classified security information about thee country (Garrison & Ncube, 2011).
Due to the sensitivity of the data that the federal government keeps, it has been at the center of attacks. Also, the nature of the access to the data by the government also exposes them to risk since the workers in the government department often have access to the information even from remote locations thereby creating a higher probability of the information to be circumvented. Another area that received increased levels of attack from the cyber criminals was the institutions of higher learning. According to the Chronicle of Higher Education, the above scenario was made possible through the fact that security features such as passwords are not properly engraved into the systems. Also, the universities being the highways of information exchange have not embraced to the latter the data security measures. This has made them to be at the apex of the target of fraudsters (Shedden, cheepers, Smith & Ahmad, A. 2011).
Moreover, data security breaches have also been noted in financial institutions leading to losses either to the banks or their customers. Hackers take advantage of the lax security control measures to break into the computer systems where they hope to get sensitive information about the operation of the financial institutions, their customers and any other sensitive information that may appeal to them (Garrison & Ncube, 2011).
Data security in governance
            Due to the increased use of information management systems in the course of carrying out business by organizations, security of the data has also been gaining currency at the same pace. Many organization however can not attach value to the security situations that they face in their organization making it so hard for those in the IT department to convince managers to avail funds to implement data security measures. Data security for governance involves such issues as accountability, interests of the stakeholders, logistics, finance, fair play and ethics. Security systems are therefore necessary to protect the organization from threats and actual attacks to their information systems. Many organizations are implementing Information security management systems (ISMS) aimed at helping the organization to maintain the integrity of their data and also to avoid losses that may result from any losses of data (Gillies, 2011).
ISMS is used in business organizations to manage information security so as to reduce the potential risks that the information may e faced with while keeping in mind the goals of the business and their commitment to their customers. For the ISMS system to work without any problems, the design process must be well thought and be able to take into consideration all relevant factors. The first important issue to consider is the terminology that the system uses so that there can be no confusion during the use of the system. Also, issues of authorization and the environment which the system is going to operate in must also be taken into account. The actual building of the system starts with a risk analysis of the potential threats to the organization and how the threats can be controlled. The risk analysis will be followed by specifications of the roles that the system will play, policy framework through which it will operate, standards, procedures and guidelines. When the system is up and running, it should be monitored to guard against it being obsolete thereby creating potential security loopholes in the organization (Gillies, 2011).
The ISMS in the company should help the organization to establish business continuity, gain competitive advantage, and also act as an image polisher especially for those organizations that have had past data security lapses. Good working systems also contribute towards increased profitability in the organization and compliance with the laws that rare set (Gillies, 2011).
How to deal with data theft
Data theft involves the illegal acquisition of data from an individual or even an organization. The theft can involve classified company information, data pertaining to a person’s personal information such as credit card numbers a, driving license number and even the social security number in some instances. Some perpetrators of data theft scams engage in the practice so that they can sell the information to other companies or individuals. First, detecting thefts of information loss, mostly in internet based systems is hard but the PR department o a company must be vigilant to watch out for any adverts calling on people to purchase any data. Also, feedback mechanisms should be clear so that any cases of theft can be reported promptly (Geeta, 2011).
Data theft is very costly to the company for instance through law suits by the customers whose data has been stolen. Also, the customers’ information is very valuable to both the firm’s competitors and marketers. Lastly, the data that is lost may have a negative influence on the brand name of the company. Data theft can be controlled through the use proper security measures in the administration of the databases where the information is stored. First, the firm should have software that has the capacity to encrypt and decrypt data depending on what the authorized user wants to accomplish. Although the above activity is expensive, it is worth investing in (Hugl, 1991).
Data theft can be dealt with through the policy on data leakage prevention (DLP). The companies adopt these controls so that they can protect the private data about the individuals whom the company deals with. The policy will make the organization or any other person who is transferring the data about the nature of the data that they are transmitting. Under the policy, companies should protect the data of their clients which may be confidential or restricted to avoid instances of loss of confidential data. The company’s DLP technology is expected to scan for data about the clients for instance credit card details, email addresses, names and attach the company’s confidential string to them. DLP will then in any case of unauthorized access of the data alert the user of the system. The access to the DLP is also restricted so that the identities of the people whose data is kept in the system can be maintained (Geeta, 2011).

Data security requirements
            Recent surveys have indicated that there is a significant difference between the information security approaches employed by private organizations and those employed by the public organizations. The public organizations are getting concerned on how they can increase the security of the connections and communications between the different organizations of the government (Harnesk & Lindstrom, 2011). On the other hand, the private sector is more concerned with profit making and thus the only information security needs they attend to are those that will directly affect the profitability margin of the firm. Also, the public sector information security systems are increasingly being built to be able to circumvent any threat that may be aimed at the myriad of remote locations that the work stations of the government agencies are located while that of the private organization just involves the securing of the data that the company has.
In addition to the above, the data security of a public organization is also more complex as the people who are authorized to access the main system are many and the input comes from different sources while the private organizations data may be entered by just some few individuals. Also, the public is getting more concerned with the protection of data for instance through encryption to guard against the increasing cases of equipment such as laptops and flash disks getting lost. The private sector will also need o secure their data due to losses but the intensities are much lower. Also to be noted is the high sensitivity of most public sector data, while that of the private sector is not as sensitive, thereby calling for different levels of data protection mechanism. The public sector due to the high recognition of the risks that the loss of data poses to them, have programs that issue workers with laptop computers with secure connections, while on the other hand, the private sectors still allow employees to carry their unsecured laptops and work from them (Harnesk& Lindstrom, 2011).
However, the development and increasing level of use of such new technologies such as flash disks is a cause for the rethinking of strategies of protecting data both in the private and the public sectors. The rise in technology has put almost similar demands on both the public and private sector organizations. Both the private and public sectors also need to implement information control measures that will not hinder the productivity of the organization (Abbas, Magnusson, Yngstrom & Hemani, 2011).
Data theft example
The data leak from the Vodafone databases in April 2010 led to a massive loss of customer data. The customers lost such personal information such as names, their addresses, all their call records, credit card details of the customers and also their driver license numbers. The data that was stolen from the internal computers of the company could have been possibly used to benefit their competitors. If this was done, it would have led to serious loss of competitive advantage for the firm. Also, the firm lost a lot of reputation as the customers do not hold it in the high regard that they used to hold it in. finally, the data could also be used to commit crimes with the details of the customers. The loss of data brought to the fore the question as to whether Vodafone had the necessary systems, procedures for risk management and policies regarding the prevention of any loss of the private data of the customers. Although Vodafone insisted that they had all the systems in place and that the case was a secluded accident, this paper will go ahead to discuss the best practice standard for data security (Vodafone Data Leaks, 2011).
Best practice standard for data security
Since Vodafone were involved in the storage of data from customers cards which were used in billing the, they should have complied with PCI Data Security Standard.  The standards requires that the companies which are engaged in the storage, processing or transmission of cardholders data, should maintain a system that is so secure as to protect the information of the cardholders. Also, the companies should have a system that monitors their levels of vulnerability to any attacks so that they can boost their systems before the actual loss occurs. Thirdly, the organization should also maintain a secure system and all the payment applications should also be secured and the access to the data should be controlled by either the use of access control measures i.e. encryption or a combination of the methods discussed earlier in the paper. Moreover, the system should be reviewed regularly to ascertain whether it is working according to the specifications. Finally, the standard requires all those who are involved in handling card data to maintain a policy regarding information for instance on who can access the information, what they can do with the information (Tsohou, Kokolakis, Lambrinoudakis & Gritzalis, 2010).

Conclusion
Data security should be at the center of policy of any organization or body that is involved in the handling of any data relating to any person other than themselves. The increased data security threats coupled with the ever changing methods being used by the hackers is a constant challenge to many organizations. However, necessity is the mother of invention and thus all organizations need to establish controls that will help them to completely cut off any potential risks to their businesses. The policies that are in place should be implemented by organizations if they want to still maintain their competitive advantages especially for those who are involved in business with others, loss of customers trust and charges in the form of settlement claims whenever the privacy or data pertaining to individuals is lost (Sun, Ahluwalia & Koong, 2011).








References
Abbas, H.; Magnusson, C.; Yngstrom, L. & Hemani, A. (2011) "Addressing dynamic issues in
Information security management", Information Management & Computer Security.
19(1): 5 - 24.
Denning, D.E. & Denning, P.J. (1979). "Data Security", Computing Surveys. 11(3): 227-249.
Garrison, C. P. & Ncube, M. (2011). "A Longitudinal Analysis of Data Breaches", Information
Management & Computer Security. 19(4): 1-34.
Geeta, D. V. (2011) "Online identity theft – an Indian perspective", Journal of Financial Crime.
18(3): 235 - 246.
Gillies, A. (2011) "Improving the quality of information security management systems with
ISO27000", The TQM Journal. 23(4) 367 - 376.
Harnesk, D. & Lindström, J. (2011). "Shaping Security Behavior through Discipline and Agility:
Implications for Information Security Management", Information Management &
Computer Security. 19(4): 1-24.
Hugl, U. (1991). "Reviewing person's value of privacy of online social networking", Internet
Research. 21(4): 384 - 407.
Shedden, P.; Scheepers, R.; Smith, W. & Ahmad, A. (2011) "Incorporating a knowledge
Perspective into security risk assessments", VINE. 41(2): 152 - 166.
Sun, J.; Ahluwalia, P. & Koong, K. S. (2011) "The more secure the better? A study of
Information security readiness", Industrial Management & Data Systems. 111(4): 570 –
588.
Tehan, R. (2008). Data Security Breaches: Context and Incident Summaries. Nova Science
Publishers.
Tsohou, A.; Kokolakis, S.; Lambrinoudakis, C. & Gritzalis, S. (2010) "A security standards'
Framework to facilitate best practices' awareness and conformity", Information
Management & Computer Security. 18(5): 350 - 365.
Vodafone Data Leaks Proves Privacy Laws Are Weak (Jan 10, 2011). Retrieved on 19/09/2011
From http://www.cyber-security-tips.com/2011/01/vodafone-data-leaks-proves-privacy-
Laws-are-weak/