LD7087 Information Governance and Cyber Security Assignment Sample 2024
Part B: Group Task
Task 4: Policy
Introduction on information security policy
Introduction
Information security policy includes different types of responsibility of an organisation for ensuring security of their stakeholder’s data. Insecurity policy “Data Breach Policy “and “Data Backup Policy ” are the main policy as total security of data is dependent on this policy of any organisation. There are five components of data security follows such as “confidentiality, integrity, availability, authenticity, and non-repudiation” that must be considered by an organisation to develop policy for data security. This report is prepared to develop an effective data governance policy for the AirMSky organisation that operates business in the UK. AirMSky currently operates in the UK only and now wants to improve business through web-based and online booking systems. Thus the company is focused to develop an effective data security management (DSM) that has effective data security policy (DSP) and governance.
Purpose
The main purpose for developing data security policy is to ensure protection of different stakeholders’ data of organisations. AirMSky is considering “2018 Cyber incident to British Airways (BA)” which is the airline industry that operates the business with the help of online booking in the UK and at the global level. BA has faced a cyber attack in 2018 due to bad DSP as well as effective data management. As opined by Moody and Siponen (2018), Future another purpose of DSP is to avoid data breaching and improve confidentiality of stockholders in terms of data security. The company is also improving their data storage process for use of data in future business development processes as well as developing strategic business development plans.
Scope
AirMSky may get several benefits through developing effective data management such as improving the authenticity of data. Company wants to perform their business through cloud-based and online booking systems. Thus it is important for companies to formulate an effective DSP. The steps of the company are not to improve data protection as well to reduce threats of data breaching. Infrastructure of any organisation is mainly dependent on DSM and policy for data security. The further main scope of AirMSky is to develop data governance that ensures data protection and avoids the cyber attack. The company is also able to develop an effective infrastructure that will support the company to acquire a good position and market in the global airline industry. As nearly all airline industries operate business through the help of internet service and data from different sources.
Identification and allocation of roles and responsibilities
Figure 1: Data governance
(Source: Chen et al. 2018)
Role and responsibility for data governance
Data governance is dependent on the different roles and responsibilities of an organisation. This organisation must allocate responsibility to each member of an organisation. Effective Data governance has played a vital role in reducing the different challenges of data management. The challenges of data security management are as follows such as improving data visibility and also securing those data that are not secure due to lack of proper DSG. Data governance assists better control over large data on cloud storage. As argued by Ormond and Warkentin (2019), there are some effective roles of members of organisations for improving accountability and responsibility of data protection.
Chief data officer (CDO): a senior data executive manager is responsible for overseeing the whole data governance program. The CDO is also responsible for giving approval to different programs that assist organisations with data security as well as hiring key staff for leading data management programmes. These are the main roles of CDO of any organisation thus AirMSky must consider this officer’s role in developing effective data security management.
Data governance manager (DGM): DGM is not a CDO nevertheless he is also responsible for managing the data governance program and leading the team that is involved in improving protection of data security Yerby and Floyd (2018). For example, if AirMSky does not want to hire a CDO to maintain their data management process. AirMSky must hire a DGM to develop better data governance of the organisation.
Data governance committee: this committee is responsible for developing policy and observing data process management. As argued by Abraham and Schneider (2019), this committee consists of different members who maintain the data security process and lead the data breaching program of the organisation. The committee is also responsible for solving any dispute that may be arisen due to ineffective data policy.
Data stewards: data protection process is performed through use of certain software and technical assets. Thus it is important for data governance that the members of a data program must have specific knowledge about assets that are used for maintaining a data protection programme. The members just have knowledge of different IT programs and develop effective cloud-based software for maintaining data protection functions.
Accountable
Accountability is an important factor for improving data protection operations that are performed by different data protection members. There are different members involved in data protection and data governance programs. The “CDO, DGM and data governance committee” of any organisation that uses cloud-based service for motion data of different stockholders are accountable for different risks and disputes.
Ensuring legal: the members of data governance are accountable for improving the confidence of different stakeholders of the organisation as a result performance and stakeholders are automatically improved. The members of a data program are also accountable for ensuring the data are real and genuine. The company must be considered in the data protection act of the UK to improve the legal and authenticity of data protection.
Regulatory
Regulation exists in any business process whether that is financial activities of an organisation or non-financial. AirMSky has operated business in the UK for the past few years in domestic flight and cargo service. As opined by Ruithe and Benkhelifa (2019), the company wants to expand business in European countries through cloud-based internet. Thus the company needs to develop a data protection governance to protect information for ticket booking and payment-related information. In this context, it is important for AirMSky organisation to consider rules and regulations of the UK that improve data protection as well as reduce the chance of data breaching (gov.UK, 2021). At first, AirMSky needed to develop a DSP and DSM for the maintian data storing process and implement regulation of the UK. The company must agree to all terms and conditions of the UK. The “Data Protection Act 2018” of the UK has been developed to protect the data of government institutes as well as private organisations (gov.UK, 2021). There are some rules and conditions of this regulation as follows. The data must be used fairly and lawfully with permission of the provider of data. The purpose of data use must be specific and genuine. Besides these act protect acts also have a condition that is suggested to give a reason for use of data in an organisation. Mainly an organisation is to use data for future growth of the company.
Contractual obligations
Contractual obligation refers to AirMSky must implement these regulations for development and effective governance management for operating business practice of the company. In this context the main objective of the organisation is to improve business operations in European countries and safeguard customer data. As opined by Koltay, (2020), the company is noticing a 2018 cyber attack on BA and that attack nearly 400000 customers’ card details are hacked by hackers. Thus the company is developing DGM for maximising data privacy and confidentiality.
Information Governance Policy Framework
AirMSky must consider these controls for developing DSM in the organisation. These data control processes support an organisation for developing effective and sustainable business management as well as improving cloud-based infrastructure.
Cryptography: Cryptography refers to that AirMSky must consider sensitive information for their management process (itgovernance.co.uk, 2021). That is ensured through two controls of organisation such as effectively protecting different stakeholders data and “integrity and availability” of data.
Information security policies: this control of organisation is to assist with different types of policy formation that control the data management process of organisation and improve safeguards of data. As started by Miralles and Miralles (2018), AirMSky is currently developing data governance for machined data protection processes and check availability and integration. It is important for AirMSky to consider organisation security practices.
Organisation of information security: security system of AirMSky must be performed with latest technology as well as within latest security software. An organisation is able to ensure a security system through the establishment of an effective data protection framework. AirMSky must consider that framework must be adequately implemented in organisations for maintaining “information security practice” (itgovernance.co.uk, 2021). Further, the AirMSky must ensure that the software of cloud-based websites must be accessed through any device and Smartphone. As opined by Singh and Zhao (2021), it assists companies to improve business practices and data collection. Besides, the data practice must be performed by everyone from home or anywhere.
Human resource security: any organisation’s large number of employees and officers for performing their organisation business practice. Thus it must be important for organisations that information of employees is not accessed by unauthorised persons. In this context, AirMSky must be considered that information of organisation hierarchy is not accessed by unauthorised persons (itgovernance.co.uk, 2021). These steps of an organisation are performed through different steps such as individuals being responsible for their personal data before employment. The responsibility of an organisation is only during the employment of an employee.
Asset management: asset management refers to an organisation that must maintain the protection of information of different types of assets of the organisation. AirMSky also has different types of assets of the organisation and that information is recorded in a web-based site for access of different members of management to take financial and non financial decisions of the organisation. As stated by Oberthür, (2019), at that point it is the responsibility of the organisation that must consider the protection process if assets and that information are not assessed by hackers.
Access control: access is an important factor affecting whole organisation performance and strategy. Thus it is important for AirMSky to maintain a proper data protection process and give access (itgovernance.co.uk, 2021). The data governance management ensures that employees are relevant for access to that information while members of the data program are approved for data access. AirMSky must divide this control into four sections: improve the access control system of data governance. The four controls are access control sequentially, the user of access management, system and application of AirMSky management. This system access control is given greater information of different users of data and control of data.
Operations security: operations security of any organisation refers to the security of different financial and mom-financial operations such as sales or projects. As opined by Janah and Mayesti (2020), an organisation must secure data of different project information and success of project’s information and control access of that data. AirMSky must observe procedure and responsibility of different operations and ensure that each operation is performed in the right location. AirMSky must mitigate infection risks of data and have a good backup to prevent loss of data. Further AirMSky must consider the login and monitoring process for operation software. The “technical vulnerability management” of AirMSky sound design software means that unauthorised persons are not able to access important data of an organisation.
Communications security: communication security refers to AirMSky must be secure data of different projects. That means the DGM of AirMSky should protect the information network of the organisation (itgovernance.co.uk, 2021). Network security management ensures “confidentiality, integrity and availability “data on those impersonation networks.
System acquisition, development and maintenance: the AirMSky should ensure that information security remains the main and prime pillars of different processes of organisation and the entire life cycle of business. Further AirMSky must consider its maintenance and up-gradation process of data protection process must be performed by organisation on a certain interval basis. Besides, the development of the security system ensures security requirements for access to important information for the public.
Supplier relationships: every organisation has different types of suppliers and sometimes they sign an agreement with them for the acquisition of assets for the organisation (itgovernance.co.uk, 2021). In this context, it is the responsibility of security management to ensure that the protection of the value of assets is not affected by suppliers and accessed.
These are significant controls of an effective “Information Governance Policy Framework ” that must be considered by AirMSky to improve security protection as well as avoid cyber attacks. This control of the whole organisation is to assist AirMSky to improve confidentiality in their stockholder and improve business in different European countries through a web-based internet system.
Implementation plan and monitoring mechanisms
AirMSky wants to develop a DGM on the web for a facilitated ticket booking system as well as collect payment processes on online mode. Thus it is important for AirMSky to develop an effective implementation plan for monitoring and abiding risks and challenges that exist in the data monitoring process.
Implementation plan
The AirMSky should develop a digital infrastructure for implementing the data protection process of the organisation as well as allocate the role and responsibility of different members of DGM. Further AirMSky should develop strategy and policy for maintaining data protection practice and access control systems. The policy and DGM must be considered data regulation acts of the UK while using data for business purposes. Further, the company must develop software and use the latest technology for recording data and important information of the organisation. After that AirMSky must consider the accuracy and performance of those assets that are used for the maintained data protection process. AirMSky should focus on using a highly protected divide and gadget for protecting data and performing web-based operations and ensuring that websites of organisations are accessed by any person through smart devices.
Monitoring mechanisms
The monitoring mechanism process of AirMSky is performed through different software and devices. As opined by Jittrapirom et al. (2019), thus it is important for AirMSky to ensure that important data of different projects and operations are not accessed by every person and accessed by only authorised persons of the organisation as a result the organisation is able to avoid data breaching processes. Besides, AirMSky should avoid risks that are arisen due to access to unauthorized personnel as well as cyber hackers. Further the company should have an effective backup for private loss of data.
Conclusion
Data protection is an important responsibility for any organisation that operates business at a global level. This concept is arisen due to access to data of organisations related to different operations as well as projects. That is also given in this case scenario on British Airways has faced data loss in 2018. Thus the AirMSky is developing web-based software for mentioning their operation information and performing business activities such as payment process and order process. Thus the company needs to develop an effective DGM that assists organisations to maintain data and promote digital business processes.
Reference
Journals
Moody, G.D., Siponen, M. and Pahnila, S., 2018. Toward a unified model of information security policy compliance. MIS quarterly, 42(1). available at: http://search.ebscohost.com/login.aspx?direct=true&profile=ehost&scope=site&authtype=crawler&jrnl=02767783&AN=127748832&h=qLC7KU9kJI3mUIY5QP63HIbJAj4a0yJAvsaMRnU7V9ALq2cxmBGxMizPjzbNM0zqrLj2Ko3chYWQp6Z2Qiw8EA%3D%3D&crl=f&casa_token=d3u6w-nR_vcAAAAA:88zc1W3BcXKs7ttAHrwHbEJALaEq3swfwBaG3tJkhU4yFM9tDgMxE71kLUKoRoqGHEE03goCiLiF1OW8
Chen, X., Wu, D., Chen, L. and Teng, J.K., 2018. Sanction severity and employees’ information security policy compliance: Investigating mediating, moderating, and control variables. Information & Management, 55(8), pp.1049-1060. available at: https://www.researchgate.net/profile/Xiaofeng-Chen-7/publication/325292677_Sanction_Severity_and_Employees%27_Information_Security_Policy_Compliance_Investigating_mediating_moderating_and_control_Variables/links/5fbb0959299bf104cf6ceb8b/Sanction-Severity-and-Employees-Information-Security-Policy-Compliance-Investigating-mediating-moderating-and-control-Variables.pdf
Ormond, D., Warkentin, M. and Crossler, R.E., 2019. Integrating cognition with an affective lens to better understand information security policy compliance. Journal of the Association for Information Systems, 20(12), p.4. available at: https://core.ac.uk/download/pdf/301386393.pdf
Yerby, J. and Floyd, K., 2018, August. Faculty and staff information security awareness and behaviors. In Journal of The Colloquium for Information Systems Security Education (Vol. 6, No. 1, pp. 23-23). available at: https://cisse.info/journal/index.php/cisse/article/download/90/CISSE_v06_i01_p05.pdf
Abraham, R., Schneider, J. and Vom Brocke, J., 2019. Data governance: A conceptual framework, structured review, and research agenda. International Journal of Information Management, 49, pp.424-438. available at: https://www.academia.edu/download/63165650/Data_governance__A_conceptual_framework__structured_review__and_research_agenda20200501-6004-19j6ekv.pdf
Al-Ruithe, M., Benkhelifa, E. and Hameed, K., 2019. A systematic literature review of data governance and cloud data governance. Personal and Ubiquitous Computing, 23(5), pp.839-859. available at: https://www.researchgate.net/profile/Elhadj-Benkhelifa/publication/322259947_A_systematic_literature_review_of_data_governance_and_cloud_data_governance/links/5dfa5afd4585159aa48535ea/A-systematic-literature-review-of-data-governance-and-cloud-data-governance.pdf
Koltay, T., 2020. Quality of open research data: values, convergences and governance. Information, 11(4), p.175. available at: https://www.mdpi.com/2078-2489/11/4/175/pdf
Miralles-Quirós, M.M., Miralles-Quirós, J.L. and Valente Gonçalves, L.M., 2018. The value relevance of environmental, social, and governance performance: The Brazilian case. Sustainability, 10(3), p.574. available at: https://www.mdpi.com/2071-1050/10/3/574/pdf
Singh, C., Zhao, L., Lin, W. and Ye, Z., 2021. Can machine learning, as a RegTech compliance tool, lighten the regulatory burden for charitable organisations in the United Kingdom?. Journal of Financial Crime. available at: https://westminsterresearch.westminster.ac.uk/download/8e43b6768ccf1d019fefce162952c999e6da82c5cde2c48c16bcfa40a3226bb6/354046/Can%20Machine%20Learning%2C%20as%20a%20RegTech%20Compliance%20Tool%2C%20lighten%20the%20Regulatory%20Burden%20for%20Charitable%20Organisations%20in%20the%20United%20Kingdom%3F.pdf
Oberthür, S., 2019. Hard or soft governance? The EU’s climate and energy policy framework for 2030. Politics and Governance, 7(1), pp.17-27. available at: https://www.cogitatiopress.com/politicsandgovernance/article/download/1796/1796
Janah, N. and Mayesti, N., 2020. Maturity Model Matrix of Information Governance in the Republic of Indonesia Public Television Broadcasting Institution. A Technical Note. Australasian Accounting, Business and Finance Journal, 14(1), pp.97-104. available at: https://ro.uow.edu.au/cgi/viewcontent.cgi?article=2057&context=aabfj
Jittrapirom, P., Marchau, V., van der Heijden, R. and Meurs, H., 2018. Dynamic adaptive policymaking for implementing Mobility-as-a Service (MaaS). Research in Transportation Business & Management, 27, pp.46-55. available at: https://repository.ubn.ru.nl/bitstream/handle/2066/179332/179332.pdf?sequence=1
Website
gov.uk, 2021; The Data Protection Act available at: https://www.gov.uk/data-protection [accessed on 26 December 2021]
itgovernance.co.uk, 2021; ISO 27001 Annex A controls explained available at: https://www.itgovernance.co.uk/blog/iso-27001-the-14-control-sets-of-annex-a-explained [accessed on 26 December 2021]
Know more about UniqueSubmission’s other writing services:
