1. Provide detailed explanation of the diagram and identify the areas of: high, medium, medium-low, and low risk exposure.
2. Carry out comparative analysis of the Deliberate and Accidental Threats and rank those threats in order of importance. Justify your rankings not only on the basis of the case study but also by the means of doing further research and drawing upon other relevant case studies (e.g. Security guidelines for other private and public organizations) that you can identify.
4. Explain the difference between the concepts of (make sure that your discussion is linked to the case considered).
Explanation of Victorian Protective Data Security Framework
Victorian Protective Data Security Framework (VPDSF) was developed by CPDP (Commissioner for Privacy and Data Protection) as a requirement of Privacy and Data Protection Act of 2014 (Stauffer, 2015). This VPDSF was published on 28th June of 2016. The protective data security risks are managed by this VPDSF in Victoria. The framework deals with:
- Standards of Victorian Protective Data Security
- Resources and supplementary guides for security, and
- Assurance model
This framework shows the instructions and prescriptive instruction and the possible way of instructing the agencies on how to build security in their operations and systems (Lane, 2014). This gives a number of policies and documents that an agency should follow. This includes:
|
o A framework of security management and related procedures that are needed in business practices.
|
|
o A government of access management governing about who can accessible to data access and how.
|
|
o Training and awareness program for the staffs that are needed for handling data.
|
|
o Management plan that are formal.
|
|
o Management plan that are business continuity, and
|
|
o Guarantee terms that enables suppliers of third party.
|
Privacy and Data Protection Act 2014- handling and collection of information that are personal are the responsibilities of the Privacy and Data Protection Act (Clarke, 2014). This helps to establish a data security framework that is protective in the Victorian sector. To develop, oversee and implement a protective framework, the PDPA permits the CPDP as the Victorian Protective Data Security Framework (VPDSF). Information Privacy Act was replaced by PDPA in 2014 and also the Commissioner for Law Enforcement Security Act 2005 (Greenleaf, 2014). The function of Commissioner for Law Enforcement Data Security and Privacy Commissioner was together merged to make this act. 10 IPPs (Information Privacy Principles) were kept from Victorian Privacy Legislation into the PDPA.
Principles of Victoria Protective Data Security Framework- To calculate the current and proposed practices of security the following principles are followed: Governance arrangements that are needed to protect the requirements of the enterprises are returned in the planning of organization (Adams & Lee?Jones, 2017). Security efforts are given priority and enable to make informed decisions by the help of risk management. To protect the information of the organization, it enables to understand the value of information. A security culture that is positive is made with clear personal liability and to understand risk that are mature, reputation and responsibility are allowed in an organization to support and function effectively the government services (Borgman, Mubarak & Choo, 2015). Improvement on the life cycle of the model also helps the organization to analyze the opportunities. To achieve effective, economic and efficient manner objectives, sound protective data security practices are assisted in an organization.
Standards those are included in VPDSF– Statements that are of high level are to be achieved (Johnson et al., 2015). An alert of the statement is given for the results that are achieved through compliance are described in the standards.
Protocols- to specify the minimum essential requirements, four numbers of targeted statements are needed to achieve al the standards.
Controls- The minimum amount of security that is expected for better practice comes under the control standards (Browning, So & Sparks, 2013). Security guides that are tailored and guidance of Federal government and standards that includes International and Australian are also developed by CPDP.
Security Guidelines- Non-mandatory elements and implementation instructions that are designed to support the implementation of protocols and standards are included in security guidelines (Pillitteri & Brewer, 2014).
12 standards for Security Governance state the official sponsorship of and the interest in security administration that is used for approach based on risk based.
Standards those are included in VPDSF
Three standard of Information Security state the Protection of data, paying little heed to media or arrangement, over the lifecycle of data from when it is made to when it is arranged.
Standard of Personnel Security describes engagement and work of qualified and appropriate individuals to get to data.
Standard of ICT Security ensures secure correspondences and innovation frameworks handling or putting away data.
Physical Security standard provides secure physical condition (i.e. offices, benefits and gears) and the use of physical safety efforts to ensure data
Policies and procedures- An approach is a strategy or rules to be taken after though a methodology is the 'quick and dirty' of the strategy, stating what to do to execute the strategy (Nieles, Dempsey & Pillitteri, 2017). Security arrangements and methods of associations, intended to mirror their one of a kind working prerequisites.
Deliberate Threats- Intentional threats that are caused in an organization are the deliberate threats (Yoder-Wise, 2014). Various types of deliberate threats are:
Information coercion, happens when aggressor that condition deliberately to submit robbery or may have own personal aim to confer burglary about the data in the organization.
Vandalism or Sabotage is theory which includes devastation of an enterprise, and the consecutive effects that falls on the organization if the trust of the client fails.
Theft of gear or data- Personal systems and gadgets that are personal faces diminishment in size and increment in quality (eg, tablets, blackberries, cell phones, PDAs, cameras and other). This is easy stealing of the gadgets (Ahmad, Bosua & Scheepers, 2014). Human mistake caused due to excessively silly (carelesness), may mead to stolen or lost of the electronic gadget (Pallegedara & Warren, 2016).
Compromises to the Licensed Property- Innovations that are licensed are the property that are made by an organization or an individual are secured in regard with patent, copyright laws and professional career mystery (Mitchell & Zmud, 2015). While selecting an enterprise, the employees of the organization are bounded by patent, copyright laws and professional career mystery.
The assaults that are related to programming keeps on changing day by day in this modern computerized world when attackers uses programming that are malignant to contaminate the similar number of systems around the world.
Most of the harm is caused due to data frameworks or corporate information emerges because of human blunder .Accidental abuse or harm will be influenced after some time by the state of mind and staff’s disposition with the environment (Quan-Haase, Burkell & Rubin, 2015). Human mistakes affect data framework security than deliberate assaults that are done by human.
Incidental dangers are created in light of the negligence and mistakes. For data security risk to occur, the behavior of the internal partners can be the reason behind the issues that comes through. Risks that are considered are mistakes that are made internally, for example, programming blunder prompts framework crash, may likewise prompt weakness or the screen of the personal system that is not attended or are not approved by the customer.
Protocols
An important risk that occurs for the reason of security designed setup and elements and also endeavor the crevices for the programming (Smith, 2013). The ongoing frameworks and the databases which are not freshen up or are fixed with the current rendition are also powerless against the security dangers that are new. Such dangers may lead to consequences of misleading in the way of dismissals or deliberate blunders. In PC based data frameworks, a typical reason for unintentional harm includes clients endeavoring to put in new equipment things or programming applications, existing information might be lost when the program is introduced or the program may neglect to work as expected. The following affect can occur due to accidental threat:
- Process of decision making that are improper;
- Capability of business is harmed;
- Open picture loss possibility;
- Financial misfortune;
- Legal liabilities;
- Consideration’s obligation fall;
- Business maintenance cost will rise extremely.
The effects of accidental threats are substantially lower than the deliberate threats. This makes the deliberate threat much more significant. The threats that are deliberate cannot be understood before it has already occurred and these kinds of threats are also uncontrollable. From subsequent to directing it is seen that an investigation can manage the risks in the future. The results that occurs for the impact of ISMS to enhance the threat occurrence that are accidental and deliberate are:
Much Higher: The threat that is deliberate is much higher as compared to the accidental risk and this risk is relatively universal. Additionally, deliberate threats have the ability to affect the objectives which are related with people and the organizations.
Less High: Threats that are accidental are able to change the goal and hurt the collection along with point might help be re-built up. The cost of neglecting accidental threats is very less.
As VIC plays an role to communicate between the user and the government, there must be several ways to lessen those threats and analysis has been done for such cases. An accumulation of criteria is categorized and incorporates the criteria into the configuration of security to give a protection to the ISMS from all the threats that it receives. For recovery of data and protecting and controlling the VIC government, deliberate threats are mainly controlled.
There are many ways by which it is stated the issues of the government of VIC are carried out externally or internally. The main fact that lies behind the challenge of non existence is the Information Security Management System. Even for the most government organizations that are consolidated the management of risk has made itself an approach that is highly recommendable. To improve the approach of risk management, the enterprise works on the way to improve the method. The method of risk management is not able to handle most of the types of risks. The regions that are needed to be improved are shown in the option of threat filtering. The challenges that are faced by the VIC Government are:
Arranging Requirements: For the enhancement of finance and for correctly structuring the position, higher efforts are to be given by VIC government. The government fails to do give the efforts for the enhancement.
Data Propriety: The non existence of data security management is another issue that comes across the VIC government. The level of security of the VIC government is not up tp the required standard which leads to accelerating of information
Controls
Establishment of VIC: As per the present day, the systems are getting updated tremendously. The VIC government does not gets itself updated that is needed by the present data security is needed.
The following points states the difference between the risk an d uncertainty of an organization
- The hazard comes from the fact that the company is losing or gaining profit. When a person does not know about what to do in the future, then arises the situation of uncertainty.
- The speculative models that a person uses for distinguishing, ascertaining and also find out the dangers. No particular reason for measuring the vulnerability quantitatively is present there. It is on the grounds that to estimating the parts that come in future are not counted.
- Negative aftereffect of an occasion is considered as hazard, and the reason for instability is not identifiable.
- The dangers that depend on different theories are controlled by different procedures. This is valid because the risk source can be tracked. Additionally, the most serious dangers are as of now known.
- Minimization of hazard is possible, to keep away the potential hazard The insecurity cannot be restricted
Avoidance: Avoidance is the best techniques for controlling risk. The name itself suggests, affiliations the keeping away from the hazard by and large. On the off chance that increase to keep up imperative detachment are difficult to achieve profit, by then there is no likelihood that affiliations will experience the insidious effects of that specific risk factor, at any rate. This is the reason shirking is the underlying of the risk control approaches that are engaged upon. This is a technique is for methodically disposing the hazard.
Loss Prevention: This control methodology is a structure that purposes of regulation, rather than slaughters. Rather than keeping up a crucial partition from a danger completely, this system recognizes a hazard however tries to confine the risk as a result (Jackson et al., 2015). Taken for instance, securing stock inside a diffusing concentration presumes that it is weak to theft. Since there truly is no authentic way to deal with keep up a fundamental division from it, a catastrophe killing action application is made for confining the danger. This application may join checking security guarantees, camcorders, and safeguard storerooms.
Loss Reduction: This is control procedure that perceives hazard, and moreover perceives the way that hardship may occur because of the risk. This system will endeavor to oblige the mishap if there ought to be an event or a remark impact of a danger. For instance, an affiliation may need to store ignitable material in a scattering center.
Separation: This approach control incorporates disseminating essential assets. It ensures that in the event that anything unessential occurs at a locale, the impact to the association is confined to the advantages especially at that range. On the other hand, if there should arise an occurrence of all favorable circumstances would exhibit around there, by then the association would lessen logical inconsistency of the test. An example of this is the time when an affiliation utilizes a geographically updated staff.
Duplication: This control approach includes the making of an arrangement design fundamentally. It is as every now and again as conceivable essential with usage. A disaster inside a data framework's server should not to pass in general business to a stop. Or, then again perhaps, a fortress over server ought to be in a split second accessible for getting to if the basic server bites the dust. Another duplication case as a risk control technique is the time while an association uses the advantages of a catastrophe recuperation procedure.
Diversification: This risk control approach that allocates business assets that are regarded as distinctive make a mark on the business and helps to grow the business to achieve profit. With growing, a huge wage risk from one line of business would not make hopeless naughtiness the affiliation's fundamental concern.
Security Guidelines
Acceptance of Risk: The hazard acknowledgment does not prompt a lessening in the effect of the hazard however it is considered as a methodology of moderating danger (Fernandez et al., 2015). Inside different tasks, this system can be viewed as a standard alternative as the charge of the hazard taking care of inclinations, for example, confinement or evasion be more prominent than the hazard. The hazard acknowledgment technique will be utilized by VIC if the effect of the hazard is not serious.
Avoidance of Risk: Risk avoiding is considered as the inverse procedure of hazard acknowledgment. VIC will be utilizing the hazard evasion methodology to maintain a strategic distance from any scope of the hazard from its data security. Among all hazard mitigation system, to avoid risk is the most costly moderation technique.
Limitation of Risk: Various businesses utilize this hazard impediment methodology as far as the greater part of the cases. This suggests associations must breaking point its introduction to taking a few activities. Both the hazard acknowledgment and shirking procedures are essential.
Risk Transference: In this mitigation technique, the task is handed over to another third party with the will that it can manage the task. Taken for instance, different associations outsource specific exercises, for finance administrations, client administrations and significantly more.
References
Adams, C., & Lee?Jones, K. (2017). Sharing personal information in the child protection context: Impediments in the Australian legal framework. Child & Family Social Work.
Ahmad, A., Bosua, R., & Scheepers, R. (2014). Protecting organizational competitive advantage: A knowledge leakage perspective. Computers & Security, 42, 27-39.
Borgman, B., Mubarak, S., & Choo, K. K. R. (2015). Cyber security readiness in the South Australian Government. Computer Standards & Interfaces, 37, 1-8.
Browning, V., So, K. K. F., & Sparks, B. (2013). The influence of online reviews on consumers' attributions of service quality and control for service standards in hotels. Journal of Travel & Tourism Marketing, 30(1-2), 23-40.
Clarke, R. (2014). The regulation of civilian drones' impacts on behavioural privacy. Computer Law & Security Review, 30(3), 286-305.
Fernandez, A., Lopez, V., del Jesus, M. J., & Herrera, F. (2015). Revisiting evolutionary fuzzy systems: Taxonomy, applications, new trends and challenges. Knowledge-Based Systems, 80, 109-121.
Greenleaf, G. (2014). Sheherezade and the 101 data privacy laws: origins, significance and global trajectories. JL Inf. & Sci., 23, 4.
Jackson, N., Atar, D., Borentain, M., Breithardt, G., van Eickels, M., Endres, M., ... & Kreuzer, J. (2015). Improving clinical trials for cardiovascular diseases: a position paper from the Cardiovascular Round Table of the European Society of Cardiology. European heart journal, 37(9), 747-754.
Johnson, L., Adams Becker, S., Estrada, V., & Freeman, A. (2015). The NMC Horizon Report: 2015 Museum Edition. New Media Consortium. 6101 West Courtyard Drive Building One Suite 100, Austin, TX 78730.
Lane, J., Stodden, V., Bender, S., & Nissenbaum, H. (Eds.). (2014). Privacy, big data, and the public good: Frameworks for engagement. Cambridge University Press.
Mitchell, V. L., & Zmud, R. W. (2015). The Moderating Effects of Coordinated Planning on Project Performance. Planning for Information Systems, 369.
Nieles, M., Dempsey, K., & Pillitteri, V. Y. (2017). An Introduction to Information Security. NIST Special Publication, 800, 12.
Pallegedara, D., & Warren, M. (2016, January). Unauthorised Disclosure of Organisational Information through Social Media: A Policy Perspective. In IDIMC 2016: Exploring our digital shadow: from data to intelligence (pp. 86-93). LISU.
Pillitteri, V. Y., & Brewer, T. L. (2014). Guidelines for smart grid cybersecurity. NIST Interagency/Internal Report (NISTIR)-7628 Rev 1.
Quan-Haase, A., Burkell, J. A., & Rubin, V. L. (2015). The Role of Serendipity in Digital Environments. In Encyclopedia of Information Science and Technology, Third Edition (pp. 3962-3970). IGI Global.
Smith, K. (2013). Environmental hazards: assessing risk and reducing disaster. Routledge.
Stauffer, A. (2015). Introduction. In Virtual Victorians (pp. 1-8). Palgrave Macmillan US.
Yoder-Wise, P. S. (2014). Leading and Managing in Nursing-E-Book. Elsevier Health Sciences.
