Enhancing Operational and Environmental Security of Private-Match Dating Agency

About Private-Match

You have just been offered a well-paid and highly responsible job managing a national dating agency, called Private-Match (PM). PM matches people looking for a partner with similar interests and personalities.

PM has six offices in the country, with a head office based in a major city. They were originally formed by one person in their home, using social media platforms to advertise services and complete the matching of people.

Within six months of starting the business demand had exceeded the capability of one person so an office space was set up and three part-time employees were found. Two years later it was clear that there was an opportunity to expand to other sites around the country and so as of today there are six offices and one head office. Each office has a manager and up to six staff. There are IT support teams (two people) in each office.

The company currently uses their own server equipment to store all their data, which is backed up manually once a day. The offices open 9am-5pm Monday-Friday, and 10am-2pm on Saturdays, but IT support can be requested outside of these hours, serviced by a team based at the Head Office via telephone. 

PM administer their matching services via their website and mobile application (which currently links back to their website using a responsive user interface). Customers can sign up online and submit their personal details, including photographs and text-based information via the mobile application or through a desktop browser.

Matching is completed using a series of artificial intelligence (AI) algorithms, which automatically notify the customer that one (or more) match has been found. The user is prompted to review the match and accept, reject or mark as tentative (for later review). This helps the AI improve matching over time. AI matching is currently a unique selling point for the company, something which no other company has managed to implement.

Customers make payment via debit card and have the option to upgrade their account to platinum level to remove advertising from the mobile application and access a more bespoke level of matching, which uses human intervention mixed with AI algorithms for a better service. The standard service is half the cost of the platinum service, and each has a free trial of two weeks, which a user can sign up for. In order to use the services a customer must register first and verify their email address but there are no checks to ensure that the user is genuine and who they say they are.

Current Security Practices

Customers are asked for lots of personal data, as well as a series of key questions which help the matching process. This means data protection is key for the company. Customers want to be sure that their personal information is held securely and not shared with anyone unwanted

The previous manager has just taken retirement and you have been offered the job based on your computing background, and knowledge of Data Governance and the ITIL framework. The company is struggling to understand the complexities of implementing new data protection regulations adequately, and are subsequently at risk of fines, or worse. From regular staff meetings you are aware that there is a big demand for training of staff to ensure they understand data protection laws. You will be leading on that training.

You are also keen to enhance the operational and environmental security of the organisation after undertaking initial discussions with local office managers. Your office space is completely open with no lockable doors, and any member of the public could currently walk in off the street.

You have decided to implement the following consistently across all offices: 

1.A full risk assessment for IT services and related data 

2.A disaster management and recovery plan 

3.A set of enhanced IT policies to also include Data Protection, a Whistle-blowing policy, Acceptable Use policy, Backup policy, Staff Training policy and a Password policy

As the company continues to grow in its day to day operations it needs a simple, reliable method for backing up the data it collects and manages on a daily basis. It keeps sensitive data on customers and staff (including payroll, pensions, national insurance etc.), as well as important day-to-day operational data such as numbers of staff accessing active workstations, costs to heat the building etc. – all of which (when analysed) can contribute to reduced running costs. You have looked at the possibility of using cloud services more widely, but will need to convince the board of directors this is required.

You are also keen to expand into offering online training courses and IT support for staff, with live chat at key times. Part of your job will be to ensure that you can resource this without bringing in external help. 

Your task is to put together the following items

1. A proposal to the board of directors for enhancing the operational and environmental security of the company. This should include a full risk assessment relating to IT services and data security and your recommendations for systems/physical security/staff training/policy changes. Within this proposal you need to show that you have a Business Continuity Plan (how the business will continue to operate if something goes wrong).

2. A guide for all staff concerning ethical, legal and regulatory compliance pertaining to this scenario, to include clear information on all applicable laws and industry best practice (such as ISO27001). The guide should include clear details about the potential costs to the organisation should a breach occur (financial and reputational) and should indicate the responsibilities of everyone involved. You can also link back to any policies you plan to create for item 1. This guide will be used to supplement staff training days and will serve as a useful reminder to those who have attended the mandatory training. Finally, the guide should include a process explaining how staff can report any suspicious incident or suspected fraudulent activity.

3. An A4 electronic poster showing the steps to be taken for Disaster Recovery. It should indicate responsibilities and have a clear start and end. This poster is to be followed by your IT teams in the event of an IT related disaster.