6.4 Protection Measures (Policies)
It is the staff of an organisation that will spend the most time handling and amending data so the company must have sufficient and effective protection measures in place so that staff are confident in their role and know their responsibilities of information security. Individual staff members may be responsible for types of data within an organisation, such as personal and confidential data. Assigning specific people to roles ensures that they know what their job is and that they are responsible if data is lost.
Organisations also need to carefully consider which members of staff have access rights to certain information. If data is sensitive or confidential, then the more people that have access to that data, the higher the risk of it being lost or tampered with (accidentally or on purpose). Sensitive data should only be handled and accessed by those who need to use it as part of their job role to limit the chance of data loss.
Staff should be trained so that they know how to adequately handle information, including basic data security techniques and how to protect data from unauthorised access and loss.
Disaster & Recovery Planning
With important data often stored on a computer network, a detailed and effective disaster recovery policy must be in place in the event of data being lost due to an unexpected disaster.
Disasters include natural disasters (e.g. fire, flood, lightning), hardware failure (e.g. power supply unit failing), software failure (e.g. virus damage) and malicious damage (e.g. hacking).
There are three clear parts to a disaster recovery policy:
Before the disaster: All of the possible risks should be analysed to spot if there are any weaknesses in preparation. Preventative measures should be taken after the analysis, such as making rooms flood-proof or storing important data at a different location. Staff training should take place to inform employees what should happen in the event of a disaster.
During the disaster: The staff response is critical – employees should follow their training and ensure that data is protected and appropriate measures are put in place. Contingency plans should be implemented while the disaster is taking place, such as uploading recent data to cloud storage or securing backups in a safe room and using alternative equipment until the emergency is over.
After the disaster: Recovery measures should be followed, such as using backups to repopulate computer systems. Replacement hardware needs to be purchased for equipment that is damaged and corrupted or destroyed. The software needs to be reinstalled on the new hardware. Disaster recovery policies should also be updated and improved.
Assessment and Effectiveness
Organisations should conduct information security risk assessments periodically to ensure that their physical and logical measures are up-to-date and that they provide the most effective methods of protection. There may be training drills of what should happen if a disaster or substantial data loss occurs so that the company is prepared. By testing the security measures in place, they can identify any weak-points and fix those highlighted vulnerabilities to minimise the possibility of external and internal data intrusion.
a) Describe why staff are so important when it comes to data protection.
b) Explain the steps an organisation should take as part of disaster recovery plan. Split your answer into before, during and after the disaster.
c) Why is it important to conduct information security risk assessments?