Introduction:
This report is all about personal identification information and personal data protection by Department of Administrative service which claims to provide a various number of services to the state government of Australia (Al-Fedaghi & Al-Azmi, 2012). These services emphasize in certain areas like HR, personal management, payroll, contract and contractor management. As there is change in the policy of the government, DAS is now emphasizing on the use of shared services (Chakravorty, Wlodarczyk & Rong, 2013). This highlights on the fact that DAS is now focusing on building a centralized service system for the government. Various agencies who run services are required to collect its data into centralized data of DAS (Theoharidou, Mylonas & Gritzalis, 2012). It relates to the implementation SaaS HR, personnel management suite, SaaS contractor management suite, Cots payroll solution in the AWS cloud.
The government has now decided to use portal named My License for renewal of license. It also promotes the idea that government can easily keep an eye on the type of license that each citizen holds (Bryant, 2013). Government introduces certain plan to register on My license portal and make their own informal digital identity (Cavoukian & Jonas, 2012). The data stored in the database can be used to for better planning and decision making by various government bodies and public agencies (Venkatanathan et al., 2013).
Various key points like threat and risk assessment for personally identifiable information data on the portal of My License with both the privacy and data protection of it with solution to control risk, Strategies to control informal digital identity, privacy and data protection part of digital identity has been discussed (Barocas & Nissenbaum, 2014). Outline plan for the governance of PII data and digital identity with personal data and PII data for contractor in the contractor management suite has also been discussed.
Discussion
Department of Administrative service (DAS) which provide a number of services like HR and personnel management, payroll, contract and contractor management to other department of government of Australia (Louw & von Solms, 2013). DAS is now planning move into shared services which ultimately relates to the fact that it will centralize a large number of services for the whole government (Cavoukian & Jonas, 2012). Government has now planned to introduce the centralization of application and renewal of license from various agencies into single web portal known as My license (Smith, 2012). Government plans to encourage various citizen to register on the portal of My license, renewal dates (Markham & Buchanan, 2012). Various important points like threat and risk assessment for PII data for the My License portal, protection of informal digital identity for the creation of My License portal, outline plan for governance of PII data and digital identity has been discussed in brief (Marwick & Boyd, 2014). Various other points like threat and risk assessment, privacy and data protection, possible solution to overcome the given problem, protection of informal digital identity with possible ways to overcome the problem with outline plan has been discussed (Theoharidou, Mylonas & Gritzalis, 2012).
Threat and risk Assessment
A threat and risk assessment is nothing but a process for checking the risk to assets and various threats related to be destroyed accessed and to be modified (Venkatanathan et al., 2013). TRA checks the risk at the time of upgradation, implementation and after complementation of various operation of services (Louw & von Solms, 2013). A TRA uses the information of the given assets and various details of controlling the information through a lifecycle. TRA uses the data within the scope of TRA and data sensitivity to the risk of discloser, manipulation of data (Monteleone, 2012). Various risk mitigation techniques which addresses the various vulnerabilities (Song et al., 2012). PII can be referred to any information that can be used to identify uniquely, which can be used to locate or contact any individual.
Privacy and Data protection
The way of data loss does not matter on the contrary the cost of breach of data can be large. Fines can be considered to be well known technique of losing data from any portal like My License and they can be considered to be very expensive (Chown et al., 2012). There are three states of data that are data in use, data at rest and data at motion. Data in use is the data which is present on the endpoints which is used by employees to do their job (Marwick & Boyd, 2014). Data at rest is the information that is stored on the endpoints, server of files and information things like exchange server, web server and various SharePoint (Markham & Buchanan, 2012). Administrator of My License can use following five steps for preventing the loss of data that is identifying the personal identifiable information and it is duty of administrator to protect the portal, PII should be on the top of priority list and this location being checked (Monteleone, 2012). Creating an AUP can be beneficial for AUP and educating about the AUP about the different employees working on this portal. AUP can be beneficial for protecting PII which is on the portal of this My License (Chen & Zhao, 2012). AUP vary from organization to organization on the contrary it achieves three goals that are protection of PII data, limitation of the access of PII and implementation of rules for accessing PII by unauthorized employee on the portal of this license website that is My License (Louw & von Solms, 2013). The AUP can be beneficial if and only if the employees have a major part in the protection of PII (Chown et al., 2012). PII can be achieved much in a better way by delivering copies of AUP to the employee of this license portal and having training sessions. It also on signing of acknowledgement statement and to promising on the fact that they will follow it(Satchwell, Barton & Hamilton, 2013). This will ultimately relate to the fact that every employee of this portal must take an active participation in the implementation of AUP and it also emphasizes on the prevention of data loss and also the loss of PII.
Mitigation to overcome the identified problems
Possible five steps like encryption, threat protection, prevention of data loss, policy compliance and blocking can be taken to overcome the problem for the portal of My license (Chen & Zhao, 2012). Data encryption aims in keeping the data safe, threat protection ensures to keep the data in the server from different viruses, phishing and other threats, Data loss prevention will alert him about to send important information that he is about to send a file containing information of the portal of this website that is My License (Chown et al., 2012). Policy compliance will block the user from using a browser with a well-known security technique (Satchwell, Barton & Hamilton, 2013). Lastly, it blocks unknown or anonymous proxies for various web searches as they allow personal information to be used by the administrator of the proxy server. Encryption method encrypts USB, CD and various different removable media devices (Danezis et al., 2015). Threat protection emphasizes on the protection of endpoint, emails and web vectors with provided security (Markham & Buchanan, 2012). It detects known and unknown malware and many potential unwanted application (PUA) (Chen & Zhao, 2012). Prevention of data loss has certain rules that are file mismatching rule, content rule. File mismatching rule checks the particular action that must be taken which checks the kind of file the user is trying to access (Chen & Zhao, 2012). Content rule which contains some important data which specifies the various action that can be taken to transfer data that matches the given definition (Lin et al., 2012). Policy compliance factor develops a list of application that are needed to be controlled under certain condition for prevention of data against the accidental transfer of data by various methods like email, online storage and synchronization of smartphone (Danezis et al., 2015). Various methods can be introduced for controlling web as internet is considered to be the biggest source of various malwares (Smith, 2012). Policy compliance uses three devices that is storage, network and short range which is widely used for the accidental storage and sending of important data. Storage devices include USB, external hard drives, optical media drives and floppy disk (Chakravorty, Wlodarczyk & Rong, 2013). Network devices are modems and wireless fidelity that is Wi-Fi interface with 802.11 standard (Marwick & Boyd, 2014). Short range devices which includes Bluetooth technology and infrared for sending and receiving of data (Venkatanathan et al., 2013).
Protection of Informal Digital identity
An informal digital identity has three components that is identification or registration, authentication and authorization (Chen & Zhao, 2012). Identification or registration is a process which allows a user to get an identity which is digital, Authentication process is nothing but the process of verification of different attributes of identity (Barocas & Nissenbaum, 2014). Authorization is a process which allow a user to use digital identity for identifying various electronic transaction and online filling up of the form of this license website. Identification has four parts that are self-asserted, direct, third party and detailed direct (Chen & Zhao, 2012). Self-asserted is when the user makes self-assertion of his own identity and no verification is performed by the third party (Danezis et al., 2015). Third party perform the verification process and a good example is validating the outputs by a telecomm company (Bryant, 2013). Authentication is nothing but a security process which allow user by using a set of categories that has one factor authentication, two factor authentication and three factor authentication (Al-Fedaghi & Al-Azmi, 2012). One factor authentication is usually the most common type of authentication is the combination of user and password (Ferrari, 2013). Two factor authentication is a more secure authentication which combines of digital certificate, a fingerprint or passcode (Li et al., 2014). Three factor is nothing but a combination of all three factors of authentication process (Lin et al., 2012). The code at the entry can be easily generated by the device which the user has and it focus on the generation of code in the presence of different biometrics like voice, fingerprint and scan of retina.
Privacy and data protection aspects for a digital identity
The loss of data of digital identity does not matter on the contrary the price of data breach can be huge or large. Fines is generally considered to be technique which is used for data loss from any portal like My license and it is generally considered to be very expensive (Satchwell, Barton & Hamilton, 2013). There are generally three states of data that is used data, rest data motion data (Ferrari, 2013). Administrator of My license can use the following five steps identification of personal identifiable information, it is duty of administrator to protect the portal, PII should be on the top of the priority list. Creating an AUP can be beneficial for this portal and educating the different employees working on the portal about the AUP (Lin et al., 2012). AUP varies from organization to organization and it aims on achieving three goals that is Protection of personal identifiable information or PII, Limitation on the access of PII and implementing various rules for accessing PII by any unauthorized employee on the portal of My License (Li et al., 2014). AUP can be beneficial for the privacy and data protection for digital identity if and only if various employees of this portal take initiative in the protection of PII (Li et al., 2014). It can be achieved in a much better way by providing copies of AUP to the employees of this portal (Reynolds et al., 2014). This will ultimately focus on signing of acknowledge statement and promising on the mere fact that they follow it (Ferrari, 2013). It ultimately emphasizes on the fact that every employee of this portal must take an active participation of the AUP usage and data loss prevention and loss of privacy aspect of digital identity (Haimes,2015).
Outline plan
The ultimate goal of the governance plan is to check and approve various procedures which are need for the management and administration of a given project (KoninG et al., 2014). A proper governance plan is prepared by the help of both procedural and documentation (Theoharidou, Mylonas & Gritzalis, 2012). The project governance plan has four goals within the process of project management. These include promoting various things like consistency, productivity and expectation of various stakeholders (Haimes,2015). Production of proper deliverables by the help of various pre-defined practices (Venkatanathan et al., 2013). Empowering stakeholders with various flexible techniques and practices. Establishment of proper reviews and governance of various plan.
Governance can be considered to be a key factor which consists of practices, steps, strategies and various decision which can be used for direct execution of project. Project governance is also known as people and purpose driven process (Song et al., 2012). Project are governed by various with proper authority and responsibility for carrying out particular steps (Haimes,2015). There are four steps for the production of governance plan (KoninG et al., 2014). These are nimble and flexible, clean and concise consistency, explain and justify and accept and approve. Format of governance plan must be sufficiently flexible for accounting the various sizes of project (Theoharidou, Mylonas & Gritzalis, 2012). This ultimately relate to the fact that smaller, less complex project may not necessarily require the same governance planning for large, complex projects. Format of governance of plan must provide a clean, proper layout for the governance variables like resource management, project communication, financial management and various other matters related to it. Content of governance plan must provide planned procedure and also provide justification in the various terms of inclusion and exclusion (Haimes,2015). Format of governance plan must provide the way to get and record various approvals which ensure the approval and buy in of proper stakeholders.
Personal data and PII data for DAS users
Governance plan can do a certain number of things while dealing with personal identifiable information and it uses some set standards and procedure for protection of personal data (Cavoukian & Jonas, 2012). It the duty of developer to avoid putting various sensitive data containing important or information in various programs (Barocas & Nissenbaum, 2014). Identification of the person who has the right and power to make changes (KoninG et al., 2014). It also ensures the privacy and security issue before they are produced (Chakravorty, Wlodarczyk & Rong, 2013). This will ultimately benefit the user of DAS and bring a lot of benefits for the portal of My License.
Data breach response plan is an important tool which helps in managing data breach. It is considered to be framework which puts out certain roles and responsibilities for proper management of breach of data and various steps taken for managing data breach. The plan should cover the proper strategy for managing various data breach. This is inclusive of potential strategies for checking data breach. The plan should provide a clear and proper communication technique for communication. This is inclusive of various persons will be approached and managed.
PII data and Financial data for user
Governance plan can easily help the PII data and financial data for the generation of data assets and it also provide important opportunity for the portal of My License, strategy and experience of user (Bryant, 2013). Governance data asset can be beneficial as other assets of enterprise like financial security, cash and human resource. National action plan helps in promoting transparency, fight against corruption, harness the power of new technologies and making government better. The plan emphasizes in certain areas like transparency in various business domain, open data, access to different government plan, participation of plan.
Development of this plan has mainly three phases that is raising awareness, seeking ideas, Drafting the national action plan. Raising awareness has many public meetings in the year of 2015 to grow awareness in Australia and this process develops the first action plan of Australia. Additional awareness about the plan can be created by using platform of social media, different government websites, teleconferences and emailing. Seeking ideas is a former consultant process to take new ideas on usage of National Action plan. This is inclusive of submission process, conversation with stakeholders and a workshop. Various times frames and consultation and submission are generally published on the internet.
DAS staff in COTS payroll suite
Cots stands for commercial off the shelf product is nothing a product that is merely used as-is. These products are merely designed in such a way that it can be installed very easily and perform with the existing components of the system (Al-Fedaghi & Al-Azmi, 2012). One major advantage that the staff of DAS will get implementation of COTS payroll suite is that it is mass-produced and has relatively low cost (KoninG et al., 2014).
Simple method is established where various routines, methods were established and it comprises of standard services which is better services which is known as commercial of the shelf (COTS). In this process the level of risk is minimum, various goods and services does not need or require any development. Special advice on legal and financial consideration is not required in general.
Conclusion
From the above discussion it can be stated that the department of Administrative service that is DAS of Australian state government provides certain services like HR and personnel management, payroll, contract tendering management. As there is change in the policy of government DAS is now focusing on the implementation of Shared services which ultimately relates to fact that DAS will centralize a number of services. The government has now decided to use portal named My License for renewal of license. It also highlight on the fact the government can easily keep an eye on the type of license that each citizen holds. Government introduces certain plan to register on My license portal and make their own informal digital identity. The data stored in the database can be used to for better planning and decision making by various government bodies and public agencies. Various has been discussed in detail for the development of threat and risk assessment for the given licensee portal that is My License. TRA has considered both the privacy and data protection part of personal identifiable information in the portal of this website with possible solution has been discussed in brief. Strategy for the protection of informal digital identity for the creation of My license portal with possible solution has been discussed. Outline plan for the governance of PII data and digital identity has been discussed for the portal of My License. Other key points like personal data and PII data for DAS user of HR personnel management, contractor management suite has been discussed briefly. PII data and financial data for users and DAS staff in the COTS payroll suite has also been discussed in brief.
References
Al-Fedaghi, S., & Al-Azmi, A. A. R. (2012). Experimentation with personal identifiable information. Intelligent Information Management, 4(04), 123.
Barocas, S., & Nissenbaum, H. (2014). Big data's end run around procedural privacy protections. Communications of the ACM, 57(11), 31-33.
Bryant, T. (2013). UE-COTS at the University of Iowa. Workplace: A Journal for Academic Labor, (7).
Cavoukian, A., & Jonas, J. (2012). Privacy by design in the age of big data (pp. 1-17). Information and Privacy Commissioner of Ontario, Canada.
Chakravorty, A., Wlodarczyk, T., & Rong, C. (2013, May). Privacy preserving data analytics for smart homes. In Security and Privacy Workshops (SPW), 2013 IEEE (pp. 23-27). IEEE.
Chen, D., & Zhao, H. (2012, March). Data security and privacy protection issues in cloud computing. In Computer Science and Electronics Engineering (ICCSEE), 2012 International Conference on (Vol. 1, pp. 647-651). IEEE.
Chen, D., & Zhao, H. (2012, March). Data security and privacy protection issues in cloud computing. In Computer Science and Electronics Engineering (ICCSEE), 2012 International Conference on (Vol. 1, pp. 647-651). IEEE.
Chown, S. L., Huiskes, A. H., Gremmen, N. J., Lee, J. E., Terauds, A., Crosbie, K., ... & Lebouvier, M. (2012). Continent-wide risk assessment for the establishment of nonindigenous species in Antarctica. Proceedings of the National Academy of Sciences, 109(13), 4938-4943.
Danezis, G., Domingo-Ferrer, J., Hansen, M., Hoepman, J. H., Metayer, D. L., Tirtea, R., & Schiffner, S. (2015). Privacy and Data Protection by Design-from policy to engineering. arXiv preprint arXiv:1501.03726.
Ferrari, A. (2013). DIGCOMP: A framework for developing and understanding digital competence in Europe.
Haimes, Y. Y. (2015). Risk modeling, assessment, and management. John Wiley & Sons.
KoninG, M., KoREnhoF, P., Alpár, G., & Hoepman, J. H. (2014). The abc of abc: an analysis of attribute-based credentials in the light of data protection, privacy and identity.
Li, Z., Ma, Z., van der Kuijp, T. J., Yuan, Z., & Huang, L. (2014). A review of soil heavy metal pollution from mines in China: pollution and health risk assessment. Science of the Total Environment, 468, 843-853.
Lin, N., Emanuel, K., Oppenheimer, M., & Vanmarcke, E. (2012). Physically based assessment of hurricane surge threat under climate change. Nature Climate Change, 2(6), 462.
Louw, C., & von Solms, S. (2013, October). Personally identifiable information leakage through online social networks. In Proceedings of the South African Institute for Computer Scientists and Information Technologists Conference (pp. 68-71). ACM.
Markham, A., & Buchanan, E. (2012). Ethical decision-making and internet research: Recommendations from the aoir ethics working committee (version 2.0).
Marwick, A. E., & Boyd, D. (2014). Networked privacy: How teenagers negotiate context in social media. New Media & Society, 16(7), 1051-1067.
Monteleone, S. (2012). Privacy and Data Protection at the time of Facial Recognition: towards a new right to Digital Identity? European Journal of Law and Technology, 3(3).
Reynolds, D., Creemers, B., Nesselrodt, P. S., Shaffer, E. C., Stringfield, S., & Teddlie, C. (Eds.). (2014). Advances in school effectiveness research and practice. Elsevier.
Satchwell, C., Barton, D., & Hamilton, M. (2013). Crossing boundaries: digital and non-digital literacy practices in formal and informal contexts in further and higher education.
Smith, C. (Ed.). (2012). Insect colonization and mass production. Elsevier.
Song, D., Shi, E., Fischer, I., & Shankar, U. (2012). Cloud data protection for the masses. Computer, 45(1), 39-45.
Theoharidou, M., Mylonas, A., & Gritzalis, D. (2012). A risk assessment method for smartphones. Information security and privacy research, 443-456.
Venkatanathan, J., Kostakos, V., Karapanos, E., & Gonçalves, J. (2013). Online Disclosure of Personally Identifiable Information with Strangers: Effects of Public and Private Sharing. Interacting with Computers, 26(6), 614-626.
