Introduction
Managing the security of data is becoming increasingly important in the modern digital society. According to Chander, Jain, and Shankar (2013), the traditional approach of keeping data was through the use of files in cabinets within the premises of an organization, accessible only to authorized individuals at specific times. However, that is no longer holding true as data management moves from the brick-and-mortar to a digital platform. Shen (2014) explains that digital management of information has simplified the processing, storing, and retrieving of data within an organizational context. However, the new approach has brought with it a new challenge that firms have to handle to protect crucial information. Cyber theft is becoming a major concern as criminals use their cyber skills to breach information from various organizations. Information theft and manipulation is a problem that affects both private and governmental organizations. Take the case of WikiLeaks that released highly confidential data of various governments, especially that of the United States’ government and other European nations. Facebook, one of the top social networking sites in the modern society, is another example of organizations that have had their data breached. Yahoo, Google, and Ashley Madison are other major companies which have suffered similar attacks (Cavusoglu et al. 2015). Commercial banks in the United States, Europe, and all over the world are losing millions of dollars every financial year because of the inability to secure digital information. Every time data of a given entity is breached, important information is always made accessible to unauthorized persons and sometimes subjected to manipulation. Many experts have looked at how the problem can be solved by improving the technology. However, legal regulations can also play critical roles in addressing the problem, as will be demonstrated in this essay. Having proper international, national, and organizational laws and policies can assist data security managers by limiting cases of data breach in both public and private entities. The paper will prove this fact by looking at researches about data security management. The primary goal of this essay is to determine the extent to which regulations and standards surrounding data protection can assist security managers in protecting information assets of an organization. The following question will be answered in this paper:
To what extent can regulation and standards surrounding data protection assist the security manager in protecting the information assets of an organization?
Discussion
The introduction clearly outlines the focus of this paper. In the current competitive business environment, data security is one of the most important factors that define the ability of an organization to achieve the desired success. It takes a lot of time and resources to collect and process critical data, and it is crucial to ensure that it is protected from criminals or individuals who may use it at the expense of the organization. According to Chander, Jain, and Shankar (2013), it is crucial to start by defining what threatens data protection and security. Numerous factors may affect data protection and security. However, this essay will be limited to factors related to laws and regulations, as explained in the introduction. Shen (2014) explains that at the national and international levels, there should be laws and international conventions that define how data should be mined and shared. Lack of such regulations may threaten data security. In the United States, laws exist that define how third parties can access data from a specific organization. The existence of regulations means that anyone who shares data in a way that goes against the written laws and policies may face prosecution. The policies act as a deterrent to data theft or illegal sharing of information. Laws set by a country are considered external factors. An individual organization may not have any significant influence on such laws. They are also meant to protect all organizations.
Individual organizations are also expected to have internal policies that define how data is managed. The policy should define who has the right to access a specific data and at a given time. There should be a clearly defined punitive measure against anyone who accesses or shares such data contrary to the laid organizational policies. Lack of such internal policies may be a threat to data security. It may lead to a situation where no one is fully responsible for data security. Hu (2016) explains that data manipulation and mishandling is highly possible in such a confused workplace environment. It is not possible to know who was responsible for a possible leak of data when systems and structures within an organization are weak. The existence of such internal policies tends to deter employees from sharing data with third parties against the set laws and regulations. They are reminded that they will always be held responsible for their actions, and any mistake committed when managing or accessing data is punishable. Such measures have a positive impact on the protection of information asset. Understanding these threats to data security emphasizes the need to have laws that regulate information security management.
According to Trim and Lee (2014), it is necessary to have national and international regulations and standards that guide how data should be managed and shared among different stakeholders. Tight laws and regulations are needed at the national level to deter mismanagement of data. However, in the current globalized society, it has become increasingly important to come up with international laws to address the problem of cybercrime at the international level. It is now possible for a cybercriminal in Kremlin to breach data of Apple Inc at its headquarters at Cupertino because of the emerging technologies (Cavusoglu et al. 2015). Such a criminal may go unpunished if there are no international laws that criminalize these actions. The knowledge that data can easily be breached by individuals in other nations has forced nations to come together and enact laws that would help track and punish individuals who engage access data from different organizations without authority. Different laws currently exist that are meant to enhance data security at a global level.
One such unified legislation is the General Data Protection Regulation enacted in the European Union in 2016 (Sun et al. 2014). The law seeks to ensure the protection of natural persons’ rights in relation to the processing of data by data managers. It also provides a detailed list of procedures, which the latter must implement to maintain a consistent level of protection of personal data subjects’ freedoms and rights and sets the criteria for showing the compliance with the law. Adopting internal policies in an organizational setting may help protect potential internal data (Hu 2016). Sun et al. (2014, p. 5) argue that the regulation emphasizes the “importance of transparency about the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.” However, the regulation provides a generalized orientation to follow, which gives organizations a chance to choose an appropriate method of security protection, based on their overall strategic goals and objectives.
The General Data Protection Regulation and ISO/IEC 27002 2013 is another critical international regulation meant to enhance data security. It explains the role of people, technology, and process in fighting data breach (Land, Ricks & Ricks 2014). The regulation outlines managerial rules reflecting such principles as system complexity, reliability, and continuity. They emphasize the importance of considering all possible threats to various stakeholders and selection of appropriate methods and interrelated processes, both technical and non-technical, which would be included in a comprehensive information protection system (Dooley & Rooney 2017). The regulations also make it clear that a high standard for data security management should be equally applied to all areas of data protection. It emphasizes the role and responsibility of people assigned to manage data within an organizational setting. It criminalizes arbitrary sharing of data by company employees. The policy makes it possible to prosecute individuals in different countries who collude to breach data of a given entity. It makes it possible to extradite a person from one country to another to face charges of data stealing and manipulation committed in another country (Cavusoglu et al. 2015). It is necessary to look at the existing data management laws at the national level.
At a national level, the United States is yet to enact proper laws that can protect individual companies from a data breach. Some of the departments of the state have come up with strict laws and policies meant to protect their data, especially those in the security docket. The United States’ Department of Defense and the Department of Justice have laws specifically meant to protect information collected by security agencies (Soomro, Shah & Ahmed 2016). American soldiers and officers working in the CIA, FBI, and other security organs have a code of conduct that bars them from sharing classified data with unauthorized individuals (Dooley & Rooney 2017). Individuals who breach the code of conduct are often subjected to martial law if they are American soldiers. The regulation is also strict in cases where a civilian use various means such as cyber theft or collusion with employees of these security agencies to access and share classified data. It explains why Julian Assange, the founder of WikiLeaks, has remained in self-imposed exile because of the fear of prosecution after sharing classified data (Cabric 2015). Officers know that they will be held individually responsible for crimes they commit. The Health Insurance Portability and Accountability Act (HIPAA) is one of the laws that seek to regulate data management in the country (Cabric 2015). The law requires hospitals, pharmacies, and employees working in the health sector to protect information of their clients. It means that such information should not be shared with third parties. The confidentiality law can only be breached in cases where it is determined that it may breach public security. In such cases, the Security Breach Notification Rule will be applied, which requires the affected individual to be notified of the breach as soon as it occurs (Cavusoglu et al. 2015). The patient should be informed about the decision to expose his or her information to third parties and its significance. The Electronic Communications Privacy Act and the Computer Fraud and Abuse Act regulate interception of electronic communication and tampering with databases of a company or an individual without their express permission or a court order. These laws and regulations provide partial protection to organizations within the United States. As such, it is imperative for individual firms to come up with organizational policies to protect their data.
According to Chander, Jain, and Shankar (2013), data management at the organizational level requires assigning of responsibilities to specific individuals within an organization. Every organization should have a chief information security officer (CISO) whose primary role is to protect information asset. The officer should work closely with departmental heads to determine how and when data should be retrieved from the database, and individuals authorized to do so. Organizational policies should define how access to critical data is permitted and the procedure that must be followed when doing that (Dooley & Rooney 2017). With the help of tools such as Hootsuite Syndicator Pro, Synthesio, and Digimind, the officer should be mandated to monitor activities of company employees when accessing critical data. These tools have been tested and determined to be effective in monitoring online activities. The goal is to ensure that any suspicious activity can be detected as early as possible and necessary measures taken to deal with security threats. However, the security manager should be reminded that the use of tools at his or her disposal should strictly be limited to the defined responsibilities. It means that they cannot use these tools to monitor the private life of their employees. The limitation ought to be defined in the company policies to discourage such practices (Dooley & Rooney 2017). Employees should be reminded that their actions, whenever they visit the company’s database, are closely monitored to ensure that they do not misuse critical information. Companies that still use paper files are advised to have physical measures meant to protect data (Cabric 2015). Likewise, in the case of digital data, access to physical data should be limited specifically to authorized individuals. The primary aim of the policies is to enhance data protection within a given organization (Cabric 2015). They make the work of data security manager easy. It is essential to look at case studies that demonstrate dangers of data breach both at state and organizational level. It is necessary to look at case studies that demonstrate consequences of data breach.
The first case focuses on WikiLeaks to demonstrate the threat posed by illegal access to data (Dooley & Rooney 2017). On July 12, 2007, this website released a classified video showing how two Reuters’ reports were gunned down by the United States officers (Sun et al. 2014). The airstrike occurred because of mistaken identity. The two reporters had cameras, which the officers mistook for a gun. In the report, it was stated that the site where the strike took place had been frequented by militants who used surface-to-air missiles against American military jets. It was easy for the journalists, who had their cameras mounted on their shoulders, to be mistaken for rebels holding rocket launchers. The officers acted to protect their own lives and that of American property (Cavusoglu et al. 2015). It was unfortunate that the two were mistaken for criminals. The report also indicated that there was a breach of an agreement between the reporters and the American forces. The journalists had been warned against visiting the volatile region without informing the American forces. The mistake was committed, and a classified report was made about it. WikiLeaks managed to access the video and went ahead to share it. Justifying the action from an ethical ground is possible as well. The officers made a mistake when they opened fire on the journalists. When appreciating the fact that a mistake was made, it is equally important to understand the circumstances under which the mistake was committed. The implication of that report had a devastating impact on ‘War on Terror’ in Iraq. The release of the video vilified American soldiers and their actions in Iraq. It stimulated hatred and convinced many Iraqis to join the rebels in the fight against foreign powers in the country. Many American soldiers paid the ultimate price when attacks against them increased (Dooley & Rooney 2017). The irresponsible sharing of a classified data made it difficult and more expensive for the American forces to win the war. The case demonstrates dangers of a data breach at a national level.
Next is the case of Yahoo that was also affected by the same problem that threatened its operations. Yahoo was once the dominant search engine company globally. However, the emergence of Google and other search engines have affected the competitiveness of this company. Hu (2016) explains that the company has been eclipsed by Google in the global market. Some of its clients have also complained about its speed. However, the biggest threat that this company has faced in the recent times was the data breach on September 2016 (Dooley & Rooney 2017). It is reported the attack compromised names, telephone numbers, e-mail addresses, and other critical information of over 500 million users, including passwords and dates of birth (Cabric 2015). Such pieces of information are critical because they can be used by criminals to access bank accounts of their customers or other critical databases. It came at a time when the company was trying to win the confidence of its customers by revolutionizing its products. It was an indication that the company was unable to guarantee data security to its customers. Shen (2014) observes that the incident happened at a time when the company was about to be sold to Verizon. The incident led to a massive drop in the valuation of the company. It also benefited most of its rival companies that had better systems and structures meant to protect clients’ data. As Trim and Lee (2014) observe, it takes time to win back the trust of customers. It means that it will take time for customers to trust the ability of this company to protect their personal information. Most customers are moving their valuable data away from their Yahoo accounts because they no longer feel safe when using those accounts which were compromised (Sun et al. 2014). The case shows implications for data breach at an organizational level.
Conclusion
When concluding the paper, it is important to appreciate the significance of legal regulations in enhancing the security of information asset. Laws and standards surrounding data protection assist the security manager in protecting the information assets of an organization. As shown in this essay, having proper data protection tools are critical in fighting data breach. However, the existences of policies help to protect information asset. Laws enacted by the federal or state government deter criminals from making unauthorized access to databases of various companies. It is a reminder that such actions can have legal consequences. At an organizational level, the existence of data management policies and regulations enhance the work of security managers. First, it makes every member of the organization understand that they are responsible for protecting data of the firm. Secondly, it defines the role that every stakeholder, from the top managers to junior employees, should play in protecting organizational data. The existence of such policies also helps in defining actions that should be taken to address data breach within a firm.
Reference List
Cabric, M 2015, Corporate security management: challenges, risks, and strategies. Elsevier, New York, NY.
Cavusoglu, H, Cavusoglu, H, Son, J & Benbasat, I 2015, ‘Institutional pressures in security management: direct and indirect influences on organizational investment in information security control resources’, Information & Management, vol. 52, no. 4, pp. 385-400.
Chander, M, Jain, SK & Shankar, R 2013, ‘Modeling of information security management parameters in Indian organizations using ISM and MICMAC approach’, Journal of Modeling in Management, vol. 8, no. 2, pp. 171-189.
Dooley, M & Rooney, T 2017, DNS security management, Wiley Piscataway, Hoboken, NJ.
Hu, F 2016, Big data: storage, sharing, and security, CRC Press, Boca Raton, FL.
Land, M, Ricks, T, & Ricks, B 2014, Security management: a critical thinking approach, CRC Press, Boca Raton, FL.
Shen, Y 2014, Enabling the new era of cloud computing: data security, transfer, and management, IGI Global, Derry Township, PA.
Soomro, ZA, Shah, M & Ahmed, J 2016, ‘Information security management needs more holistic approach: a literature review’, International Journal of Information Management, vol. 36, no. 2, pp. 215-225.
Sun, Y, Zhang, J, Xiong, Y & Zhu, G 2014, ‘Review article: data security and privacy in cloud computing’, International Journal of Distributed Sensor Networks, vol. 1, no. 44, pp. 1-9.
Trim, P & Lee, Y 2014, Cyber security management: a governance, risk and compliance framework, Gower Publishing, New York, NY.