Investigating Data Breach At Turn Key University: Essay.

Discuss about the Organizational information security policy.

The operations of any organization depend on the organization’s assets. One of the most important assets in an organization is the data and information. Protecting the data and information needs utmost protection as it is the most valuable asset in an organization that has no physical existence but still bears the strength to make an organization bite the dust if mishandled (Bulgurcu, Cavusoglu & Benbasat, 2017). There have been evidences of companies losing their reputation completely with security breaches and data loss. The security systems to overcome or stop the hazards in the organization need to be effective in this context. This is to ensure the intact organizational integrity and confidentiality of data and operations of tasks. The following report is a case study of the medium-scale university called Turn Key University or TKU, where there has been a security issue regarding the breach of a huge number of data of the students personal information and other organizational confidential data. The Finance division was given the responsibility of investigating the issue and coming to a conclusion about the further deliverables. The report would thus include the outline that was devised to analyse the case study, the identification of the information that was breached, and how the information could be categorised. The report would again hold the threats to the information in the case study, the assessment of failure or success for the protections used, the similarity of the problems found with Australian privacy principles and the critical analysis of the recommendations that the case study puts forward.

The case study in question is about a major data breach in the medium-sized university of Turn Key University or TKU that is established in the city of Idaho. The case study refers to an incident where the Finance head, Don was called for by the Chief Finance Officer to get informed about a security issue in the organization that had breached huge number of data from the system, including PII (Cram, Proudfoot & D’Arcy, 2017). The information had been accessed at an odd timing and exported entirely from the system. This was discovered during a patch implementation checking the next day. The Finance team was given the responsibility to investigate the task (Ayyagari & Tyks, 2012). The security system that the university has used so far was the Lax Security Systems and the Finance head had no prior experience of handling such systems. However, qualitative and quantitative investigation was organized in order to find the reasons for the data breach. It was checked throughout for the littlest of information to find out the root cause of the data breach that had happened. It was the Finance head and the auditor who had searched through the security system to find out the primary reason behind the data breach and the way that the lax security system worked.

Practical Threat Analysis Model

In the case study, the Practical Threat Analysis model could assess the ensuing threats. This threat analysis model provides an effective way of priority countermeasure helping the decision-makers of any organization to reach a risk mitigation plan (Peltier, 1998). In the case study, the PTA analysis model could easily assess the risks in the information security system that had caused the breach and make out the asset values of the systems, the potential damage level, and the probability of threat the potential hazards can possess. For assessing the incident in the case study, the process thus works in the following manner:

Identifying the assets: As per the case study, the most valuable assets for the Turn Key University are assessed to be the student details information and the PII. These assets may vary in economic value but the mishandling of both would cost the reputation of the university.

Vulnerability assessment: The primary reason for the security vulnerability in this case is the lax security system and the administrators as well as the people who are handling the confidential information of user id and login passwords. The security system is vulnerable to the mishandling and misuse, providing least amount of agile security as well as the general norms of the University of passing on confidential information over emails and phones.

Countermeasures: According to the case study, the countermeasure that would help in eliminating the threat to the information security would be appointing a security head to supervise the entire information security system and educating the workforce about effective and ethical information security system. These countermeasures would not just be cost effective to the university but would also help in retaining the university reputation.

Mitigation plans and threat scenarios:

Table: Threat scenario and Mitigation Plan

Fig: PTA Flowchart

The data was handled many ways in the university information management since the system was divided into three divisions of users. These were the Information Technology department, the Finance Department and the Administrative Support Divisions. During the investigation, the Administrative Support Division was investigated first only to find out that they accessed the transaction system frequently for running the reports. In addition, it was found that the number of users that accessed the system were much more in number than the approved users (Ayyagari & Tyks, 2012). It was because the employee login details were passed on to temporary employees and student workers quite frequently when the reports had to run in their absence. This information was passed on with the help of Post-it notes, emails and over the phones since the employees about the ethical norms of information-transfer did not know it.

Categorizing of Information and Information Systems

The Information Technology division was investigated next. During the investigation, it was found that information transactions used the software comprising of a simple User Interface and a database to hold the information without any set legal policies or detailing on how each task is being completed. The system management was found to be faulty since it had no previously assigned business rules and inconsistent system management was observed. This department also had the problem of passing login information over phone and emails. Three administrators had the full authority of accessing the system and the capability to export out the data (Ayyagari & Tyks, 2012). Since, the IT department was faster in exporting data than the other departments, it continued to extract data for majority of the university.

Lastly, the Finance department was investigated to track the data propagation in the university. It was found that the Finance division handled the access permissions of the system as well the system administration. The investigation jotted out that this department had the habit of overseeing functional components like incorrect charging and others. Although the department had access permission to run the business intelligence reports, it did not have much knowledge about the information handling system. The Finance head had the onus to administer these data transactions and had the access to set up the user data and export data. It was also one of his responsibilities to make sure that appropriate users have access to the system.

The categorizing of information and information systems follow the standards of FIPS Publication 199. It launches the security systems for both information and its security systems. These categories are based on the possibilities for an organization to tackle information and data breaching activities due to certain events (Ross, 2014). This demands the accomplishment of the assigned missions, maintaining of day-to-day activities, protecting of the assets, maintain legal responsibilities and protect individual integrity. The security system is categorized to be used for the vulnerability and threat information, which helps to assess the potential hazards in an environment. According to the FISMA security standards, the categories are described as follows:

Confidentiality: As per the Section 3542, it is necessary that an organization invest time and ideals in maintaining the authority on accessing of information and the disclosure of information, as this would mean respecting the privacy for personal privacy and proprietary information.

Integrity: According to the Section 3542, an organization should watch over for any unsolicited modification and destruction of information valuable to the company and maintaining authenticity of the information.

Threats to the Information System

Availability: The Section 3542 of the FISMA sates that and organization should maintain the reliability and real-time use of information and ready access to the authorized personnel as well.

While going through the investigation, the facts that have cropped out regarding the threats to the information system have been many in number. Primarily, before implementing Information Security System in an organization, the entire organization, including the employees should have profound knowledge about the implemented system. However, this would only be possible if before the implementation, the entire organization is trained about the new technology (Ayyagari & Tyks, 2012). The external auditor had found many inconsistencies in the system management primarily since the system administration was in the hands of the Finance Department, who had no idea about the complications of information transfer. It was not only the data transactions but also the password and login information that were transferred from one employee to the other with least or no security. It is a known fact that transferring any kind of confidential information, such as login id and passwords, are extremely prone of being hacked. Therefore, in any way they should not be transferred through emails, websites or even over phones.

On the other hand, the company had no knowledge about secured password systems. It was found that the entire university followed one simple rule for passwords that can be encrypted very easily. The procedure that the university administration followed for setting up passwords was simple and easy to decrypt (Ayyagari & Tyks, 2012). This is because; the first letter of the password would be the first name of the user, and the rest of the password would be the surname of the user. For example, if the user’s name were Tim Burton, the password would be ‘tburton’. This was a company norm, without anyone having the knowledge if it was ethical or legal.

It was found in the investigation that the organization had a lax security system as a preventive measure for the information system. There was no coordination of the security measures and even in some cases; the preventive measures were not followed. The primary obligation of any information system is data secrecy (Siponen, Mahmood & Pahnila, 2014). However, this is was not followed by the people in the organization since the employees had no idea about the formal or ethical way of data handling. It is a primary ethical norm that login details and passwords are never to be forwarded through websites, emails or over the phone. Instead, this was a common practice amongst the employees in the entire TKU. The main culprit of the entire data breach was found to be the contractor who was responsible for upgrading the servers. It was due to this negligence in login id and password transaction that led to such a data breach done by the contractor.

Investigation

According to the case study, there was no success in the system of the university information management. The entire university followed few norms of data protection, which was not at all ethically correct, but the employees had no idea about it (Soomro, Shah & Ahmed, 2016). The data breach was also a result of these malpractices that occurred within the organizational structure. For instance, there was a common practice of transferring user details over phone, emails and websites, which is a hazardous practice for any industry. This is the reason that the information security system failed in the Turn Key University causing the data breach to occur.

According to the Australian Privacy Principle Number 11 or APP 11, an organization has to be responsible enough to shield the personal information from external interference (Peltier, 2016). It should be ready to maintain privacy of the personal information from misuse, loss, misuse, unauthorized access, disclosure and modification. The principle also states that it is the responsibility of the organization to de-identify or discard any user id that no longer in use.

After investigating the entire case study, it was seen that the student information that was not in use anymore was never removed from the information system. In addition, it could be easily seen that the security measures in the Turn Key University had no compliance with the Australian Privacy Principles. Rather, it violated the law, although it was mostly due to ignorance of the employee and the authorities on the legal obligations.

In the case study, there were few recommendations suggested according to the data breach pattern. The recommendations suggested that the university should employ a chief security officer with whom the entire system can communicate to ensure any changes in the security system. It also suggests that the access control systems should be formalized in compliance with the legislations of the information privacy systems (Stair, & Reynolds, 2017). Disciplinary actions should be implemented on violation of any policy. Lastly, it suggests that the university should make the entire workforce be trained into the legal security measures and the awareness for it should be raised amongst the entire university including the students.

After critically analyzing the recommendations, it could be seen that all the suggestions were appropriate according to the problems in the case study. The absence of a security head had resulted in the chaos in the information privacy system (Wright & Raab, 2014). Again, the ignorance of the system and the lack of proper legislations had resulted in the data breach. Therefore, it can be said that the suggestions were appropriate according to the analysis of the entire scenario and the problem that has occurred.

Conclusion

Conclusion

Therefore, it can be concluded by saying that one of the biggest assets in the industry is the information system for an organization and it needs to be kept secure at any cost. The case study described in this regard is an incident in the management structure of the Turn Key University or the TKU. There had been a severe data breach claiming the personal information of about 500 students in the university. This had called for an investigation led by the Finance head and an external auditor to look for the root cause of the incident. The investigating team had interviewed the entire workforce by divisions and reached a conclusion that the main culprit had been the contractor who was responsible for updating the security system. However, he could only gain access to the system because of the lax security measures in the taken for the prevention of information breach. The passing of login details and passwords were conducted through unsecured measures, which had caused the contractor to gain access over unauthorized information. Although, the data breach could not cause much harm to the student database, but the stealth of the PII had caused the university its reputation. It has been found that the organization security measures never complied with the Australian Privacy Protection laws and therefore few recommendations are suggested to restore the information security management structure in the university.

Reference

Ayyagari, R., & Tyks, J. (2012). Disaster at a university: A case study in information security. Journal of Information Technology Education, 11, 85-96.

Bennett, C. J., & Raab, C. D. (2017). The governance of privacy: Policy instruments in global perspective. Routledge.

Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2017). Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS quarterly, 34(3), 523-548.

Cram, W. A., Proudfoot, J. G., & D’Arcy, J. (2017). Organizational information security policies: a review and research framework. European Journal of Information Systems, 26(6), 605-641.

Edwards, B., Hofmeyr, S., & Forrest, S. (2016). Hype and heavy tails: A closer look at data breaches. Journal of Cybersecurity, 2(1), 3-14.

Garba, A. B., Armarego, J., & Murray, D. (2015). A policy-based framework for managing information security and privacy risks in BYOD environments. International Journal of Emerging Trends & Technology in Computer Science, 4(2), 189-98.

Laudon, K. C., & Laudon, J. P. (2016). Management information system. Pearson Education India.

Lowry, P. B., Posey, C., Bennett, R. B. J., & Roberts, T. L. (2015). Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust. Information Systems Journal, 25(3), 193-273.

Mann, I. (2017). Hacking the human: social engineering techniques and security countermeasures. Routledge.

Manworren, N., Letwat, J., & Daily, O. (2016). Why you should care about the Target data breach. Business Horizons, 59(3), 257-266.

Pardo, A., & Siemens, G. (2014). Ethical and privacy principles for learning analytics. British Journal of Educational Technology, 45(3), 438-450.

Peltier, T. R. (2013). Information security fundamentals. CRC Press.

Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. CRC Press.

Peltier, Thomas R. (1998).Information Classification.Information Systems Security, 7(3), 31-43. doi: 10.1201/1086/43300.7.3.19980901/31007.8

Romanosky, S., Hoffman, D., & Acquisti, A. (2014). Empirical analysis of data breach litigation. Journal of Empirical Legal Studies, 11(1), 74-104.

Romney, M. B., Steinbart, P. J., & Cushing, B. E. (2016). Accounting information systems (pp. 638-641). Upper Saddle River, NJ: Prentice Hall.

Ross, R. S. (2014). Security and Privacy Controls for Federal Information Systems and Organizations [including updates as of 1/15/2014] (No. Special Publication (NIST SP)-800-53 Rev 4).

Sen, R., & Borle, S. (2015). Estimating the contextual risk of data breach: An empirical approach. Journal of Management Information Systems, 32(2), 314-341.

Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & management, 51(2), 217-224.

Siponen, M., Pahnila, S., & Mahmood, M. A. (2014). Compliance with information security policies: An empirical investigation. Computer, 43(2).

Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more holistic approach: A literature review. International Journal of Information Management, 36(2), 215-225.

Wright, D., & Raab, C. (2014). Privacy principles, risks and harms. International Review of Law, Computers & Technology, 28(3), 277-298.