6.4 - Protection Measures
2016 - Unit 2
It is the staff of an organisation that will spend the most time handling and amending data so the company must have sufficient and effective protection measures in place so that staff are confident in their role and know their responsibilities of information security. Certain staff members may be responsible for types of data within an organisation, such as personal and confidential data. Clearly assigning specific people to roles ensures that they know what their job is and that they are responsible if data is lost.
Organisations also need to carefully consider which members of staff have access rights to certain information. If data is sensitive or confidential then the more people that have access to that data, the higher the risk of it being lost or tampered with (accidentally or on purpose). Sensitive data should only be handled and accessed by those who need to use it as part of their job role to limit the chance of data loss.
Staff should be trained so that they know how to adequately handle information including basic data security techniques and how to protect data from unauthorised access and loss.
Disaster & Recovery Planning
With important data often stored on a computer network, it is absolutely vital that a detailed and effective disaster recovery policy is in place in the event of data being lost due to an unexpected disaster.
Disasters include natural disasters (e.g. fire, flood, lightning), hardware failure (e.g. power supply unit failing), software failure (e.g. virus damage) and malicious damage (e.g. hacking).
There are three clear parts to a disaster recovery policy:
Before the disaster:
All of the possible risks should be analysed to spot if there are any weaknesses in preparation.
Preventative measures should be taken after the analysis, such as making rooms flood-proof or storing important data at a different location.
Staff training should take place to inform employees what should happen in the event of a disaster.
During the disaster:
The staff response is very important – employees should follow their training and ensure that data is protected and appropriate measures are put in place.
Contingency plans should be implemented while the disaster is taking place, such as uploading recent data to cloud storage or securing backups in a safe room and using alternative equipment until the disaster is over.
After the disaster:
Recovery measures should be followed, such as using backups to repopulate computer systems.
Replacement hardware needs to be purchased for equipment that is corrupted or destroyed.
Software needs to be reinstalled on the new hardware.
Disaster recovery policies should also be updated and improved.
Assessment and Effectiveness
Organisations should conduct information security risk assessments periodically to ensure that their physical and logical measures are up-to-date and that they provide the most effective methods of protection. There may be training drills of what should happen if a disaster or substantial data loss occurs so that the company is prepared. By testing the security measures in place, they can identify any weak-points and fix those highlighted vulnerabilities to minimise the possibility of external and internal data intrusion.
6.4 - Protection Measures:
1. Describe why staff are so important when it comes to data protection. 
2. Explain the steps an organisation should take as part of a disaster recovery plan. Split your answer into before, during and after the disaster. 
3. Why is it important to conduct information security risk assessments?