The document outlines the necessary components of an organization's data security policy. It discusses defining the policy's purpose, scope, and audience. It also covers information security objectives of confidentiality, integrity and availability. The document emphasizes classifying data, controlling access authority, and outlining staff responsibilities for data support, operations, awareness and behavior to protect organizational data.
The document outlines the necessary components of an organization's data security policy. It discusses defining the policy's purpose, scope, and audience. It also covers information security objectives of confidentiality, integrity and availability. The document emphasizes classifying data, controlling access authority, and outlining staff responsibilities for data support, operations, awareness and behavior to protect organizational data.
The document outlines the necessary components of an organization's data security policy. It discusses defining the policy's purpose, scope, and audience. It also covers information security objectives of confidentiality, integrity and availability. The document emphasizes classifying data, controlling access authority, and outlining staff responsibilities for data support, operations, awareness and behavior to protect organizational data.
The document outlines the necessary components of an organization's data security policy. It discusses defining the policy's purpose, scope, and audience. It also covers information security objectives of confidentiality, integrity and availability. The document emphasizes classifying data, controlling access authority, and outlining staff responsibilities for data support, operations, awareness and behavior to protect organizational data.
Download as PPTX, PDF, TXT or read online from Scribd
Download as pptx, pdf, or txt
You are on page 1/ 24
SUPPLY CHAIN INFORMATION
AND DECISION SUPPORT
SYSTEMS: MSCSCM626 GROUP PRESENTATION GROUP 6 MEMBERS
KUSAKARA PEDZISAI C22150892K
MOYO PATRICIA C22151330E
SABUNGU LAZARUS. T C22151616M
MASHIRI TAWANDA C22150734X
MANGWIRO WELLINGTON C22151432Y
QUESTION 6
Sustainable data security is everyone’s
responsibility. Outline and justify what you consider to be necessary components of an organisation’s data security policy. Introduction Supply chain entities have become more dependent on electronic communication and less on massive file rooms with mountains of paper which is far much easier to access than before, hence the need for data storage is more important than ever. This have called for the need for safe and reliable data preservation through data security policies. A data security policy is a set of rules and procedures that keeps an organization's data secure (Peltier, 2016). All data users throughout an organization must abide by this policy. A data security policy must incorporate important components with regard to access, storage, and usage hence the crux of this presentation. Definition of key terms Sustainable data security Chanda and Kelly (2022) define sustainable data security as investing time, attention and capital in a way that mitigates risk, minimizes cost an maximizes effectiveness both now and in the long term. Data security is sustainable when security resources are implemented in a way that does not degrade the level of security or deplete over a period of time due to anything that affects the security of a system, (Chanda, 2021). The presenters understand sustainable data security as a concept which involves protecting the integrity, confidentiality, availability, and strengthening of information in the present and future. Purpose
The first essential component of an information
security policy is a defined purpose. Broadly, the purpose of an organisation’s data security policy is to protect its essential digital information. An organisation needs to define its data security policy's goals in a more focused and actionable way. The purpose of a data security policy might be any one or a combination of the following objectives:- To clarify an organisation’s approach to information security
Detecting data security breaches caused by misuse of data, networks, computer
systems, or applications or by improper third-party use,
Preventing the compromise of organization's sensitive information
Responding to information security breaches swiftly and effectively
Upholding organisation’s brand reputation in data security,
Complying with legal, regulatory, and ethical requirements,
Respecting customer rights to the privacy of their personal data
Bolstering an organisation’s ability to respond to consumer inquiries about data
protection, security requirements, and an organisation’s compliance in these areas Purpose cont’d
The essence of defining a clear purpose for a
company's information security policy enables the organisation to tailor its security measures to provide enhanced data protection. Failure to articulate a clear, concrete purpose for information security policy runs the risk that security measures will be unfocused and ineffective. Audience and scope
The next essential element of an information security policy is its
audience and scope. A data policy must specify which users it will apply to and which it will not apply to. For instance, a business might decide that it will not include third-party vendors in its information security policy. The more an organisation broaden the scope of its data policy, the more its customers understand the difference between the organisation’s internal employees and its third- and fourth-party vendors. In this sence, including third- and fourth-party vendors under the broad umbrella of the company's data security policy, allows an organisation to keep a tighter hold on client data and maintain customer trust. Audience and scope cont’d
Another aspect of scope to consider is what
infrastructure the policy will govern. It is important that the policy covers all facilities, programs, data, systems, and other technological infrastructure within an organization, (Bishop , 2013). To this end, this wider scope of coverage helps the policy to reduce data security risks. Information security objectives
The data security need to consider an organisation’s
information security objectives. The IT industry generally recognizes three main principles which are:- Confidentiality Integrity and Availability. Information security objectives cont’d
Confidentiality: A data security policy should keep sensitive
information assets confidential, and only authorized users should have access to protected information. This can be achieved by using strong passwords. Integrity: A data security policy should preserve data in an accurate, complete, and fully intact form, and the data should be operational within the organisation’s IT infrastructure. Availability: The policy should also ensure that IT systems are available to authorized users when necessary. The data should be available continuously and reliably. Authority and access control
An information security policy should indicate which
members of an organization have the authority to limit access to data. These people should be trustworthy employees with enough data security insights to make correct decisions about what information is shareable and what is not. The extent of permissible data sharing may not be entirely the organisation’s decision to make. For instance, at Coca Cola only three individuals have access to the formula of the company’s beverages. Authority and access control cont’d
An organization's hierarchy plays a key role in access
control whilst lower-level employees mostly do not have the insights or authority to grant access to others, so they should generally avoid sharing the data they have access to. Higher-level managers and executives with more comprehensive insights into the company's overall function have usually earned the right to grant access to information as they see fit. Authority and access control cont’d An organisation must sufficiently have controls to allow authorized access and deny unauthorized access. Classic examples of such measures such as: Personal Identification Numbers (PIN) Strong password requirements Biometric measures such as fingerprint access devices Frequent password updates ID cards Access tokens Swipe cards Authority and access control cont’d
To this end, having authorisation and access control protect an
organisation from unauthorised use of data especially by laid off employees. Data classification
Classification of data is an essential element of an organisation’s
data security policy. Most organisations classify data by security level. "Public," "Confidential," "Secret," and "Top Secret." are typical classes that may be assigned. Other organisations use hierarchies such as Level 1, Level 2, Level 3, Level 4. To this end, under these classification systems every level of non-public data would require some form of protection, with higher tiers or top secret requiring more stringent security. Data classification
Data classification is of paramount importance since it
provides the basis for laying out the measures necessary to protect the data to the required level. Data support and operations
Data support and operations include the measures an
organisation will implement for handling each level of classified data. There are three primary categories of data support operations: Data protection regulations, Data backup requirements and Movement of data
Data protection regulations
These are standards an organisation put in place to protect personally identifiable
information and other sensitive data.
Organisations mostly align these standards with any applicable industry
compliance standards and local regulations. Most security standards and regulations require at least a firewall, data encryption, and malware protection.
Data backup requirements
An organization will also need to generate secure data backups. The backups need to be encrypted and have the backup media securely stored. In addition, there also need for a Disaster recovery plan which spells out how the organisation protect against data losses in the event of calamities such as fires, natural disasters etc.
Movement of data An organisation should ensure data security whenever it moves its data. The policy outlines the secure protocols to be followed when transferring data. Security awareness and behavior
The data security policy highlight the strategies the
organization will need to implement in an attempt to heighten its security awareness and prevent security breaches. It may need to encourage specific employee behaviours to bolster that awareness and thwart attacks and losses. Some companies have their employees sign some declarations requiring them not to divulge business information. Some government departments workers make such declarations under the Official Secrets Act. This prevents leakages of information to unauthorised individuals and companies. Responsibilities, rights, and duties of personnel
The final component of an organisation’s data security policy
should outline the staff members' rights, responsibilities, and duties regarding data protection since it is the responsibility of all members to ensure data security. This component allows an organisation to give employees some responsibilities by designating certain individuals to perform access reviews, educate other employees, oversee change management protocols, handle incidents, and provide general oversight and implementation support for information security policy, (Schuster et al., 2015). Responsibilities, rights, and duties of personnel cont’d
This allows clear definition of personnel
responsibilities and duties, and also a clarity on employees’ rights and authorizations they have. In essence, this will help an organization to avoid data management errors that could pose severe security risks. REFERENCES Bishop, J. (2013). The effect of de-individuation of the Internet troller on criminal procedure implementation: An interview with a hater. International journal of cyber criminology, 7(1).
Chanda, D. (2021). Principles of Sustainable Cybersecurity. Retrieved from: https://
Chanda, D and Kelly, D .(2022). How to put cybersecurity sustainability into practice: Retrived from : https//www.techtarget.com/searchsecurity/tip/How-to-put-cybersecurity-sustaina bility-into-practice .
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards:
guidelines for effective information security management. CRC Press.
Schuster, F., Costa, M., Fournet, C., Gkantsidis, C., Peinado, M., Mainar-Ruiz, G. and Russinovich, M., (2015). Trustworthy data analytics in the cloud using SGX. IEEE symposium on security and privacy (pp. 38-54). IEEE
