Security of Employee Data
The DAS (Department of the Administrative Service) is responsible for delivering many services for the various departments of the state government in Australia. The data centre of the DAS is the one who is accountable for delivering the services for the department. A new service provider has been introduced to DAS in order to upgrade the existing system named ‘SaaS’ (Software-as-a-Service), which is a centrally hosting licensed model and software delivery services. A team of two members is being introduced to the management for the delivery of a risk management program, which will be helpful in identifying the threats and risks to the privacy and security of employee’s data, who are employed in DAS. Following report presents a severity matrix in order to show the likelihood, priority and the impact of the identified risks and threats. They are rated based on the consideration.
|
S.No |
Security Threat/Risk Description |
Likelihood |
Impact |
Priority |
Preventive Actions |
Contingency Plans |
|
|
Student 1 |
S1. |
Cloud Computing |
VL |
VH |
VH |
o Encrypting files before uploading o Protecting credentials from unauthorized access |
o Accessing Third party services o Keep changing the credentials or using auto generated password |
|
S2. |
Poor configuration |
M |
VH |
VH |
o Systems should be well configured and pre-checked o updating applications and operating system on regular basis |
o The IT team should cross-check the configuration before connecting it to the network. |
|
|
S3. |
Weak security architecture or non-existing of security architecture |
H |
H |
M |
o There should be pre-existent of personnel in order to design security architecture for the systems off DAS (Sundarrajan, 2014). |
o IT expert advices from external |
|
|
S4. |
Third party software in the system |
M |
H |
M |
o Using personal applications, database and servers. o There should be no cloud storage. |
o Third party should be licensed and policies should meet the requirements of DAS o Regularly updating the applications provided by service providers. |
|
|
Student 2 |
S5. |
Botnets |
L |
VH |
VH |
o Strong IT security architecture o Proper encryption to the files that are about to upload into the cloud o Proper and licensed antivirus (Asghari, Eten& Bauer, 2015). |
o Choosing option for auto-update for the firewalls and antivirus. o Operating system should be original and updated. |
|
S6. |
External removable devices |
L |
L |
VL |
o DAS should provide personal external devices to the employees. o BYOD (Bring Your Own Device) should not be implemented in the management system. o There should not be any auto run option or it should be disabled for the devices connecting externally to the system. |
o Training to the employees on how to use external device in the office premises. |
|
|
S7. |
Websites |
VH |
H |
VH |
o Blocking access to the websites that may contain malicious programming. o Using updated firewalls. |
o Installing latest anti-virus and keep updated that anti-virus whenever it arrives at market. o Training to the employees about accessing proper websites. |
|
|
S8. |
Phishing |
H |
VH |
M |
o Installing professional enterprises into the system. |
o Providing training to the employees on regular basis. |
Likelihood – VL, L,M, H, VH
Impact-VL, L,M, H, VH
Priority- VL, L, M,H, VH
Cloud Computing: Cloud computing can lead to various security issues related to the information of the employees that are being saved on the Cloud. Saving files and information on the internet makes it vulnerable to cyber-attacks and data breaches. Considering latest data breaches it can be said that cybercrimes are the real concern for this new digital world.
Poor configuration: It can be considered as a pre-existing threat that was complete responsibility of the providers and suppliers. Poor configured system can easily be breached by the intruders and could lead to several security issues related to the employees of DAS (Lafuente, 2015). Proper IT team should be appointed before making purchase of computers in order to pre-check the supplies.
Weak security architecture or non-existing of security architecture: Weak security architecture of the network is another important aspect that can lead expose of personal and sensitive information and alternatively affect the security of the employees and the organization too. There should be updated and always presence of a security architecture for the network that is being used within the organization.
Third party software in the system: Using third party software makes the organization completely reliable on that organization, which makes them dependent to those third party on “what, when and how” that data should be used. Nothing is stable in this digital world specially, with respect to the information system. Breaches that affect the third party will automatically affect the information and data of the organization, which was relied on those third parties.
Existing Security Threats to Employee Data
Botnets:Botnets are not a new concept in the cybercrime. They are being used in order to get access to the systems whose access is highly secured. These could be spread into the system by mails, files or several other means and allow unauthorized users to access the system.
External removable devices: Many malware coding can be transferred to the systems in which those devices had been used(Felbermayr, Hauptmann &Schmerer, 2014). Not all the computers are safe and using external devices could lead towards transferring of those malicious viruses from one system to another.
Websites: Generally using untrusted websites leads toward download of malicious coding that could harm the system. These websites often asks to download applications that are not certified or licensed. Using secured, certified and safe websites should be the first step in order to keep the data secured into the system.
Phishing: It is term used in computer science generally related to transfer of malicious programs via emails or messages.
|
S.No |
New Security Threat/Risk of employee data Description (after moving to Saas) |
Likelihood |
Impact |
Priority |
Preventive Actions |
Contingency Plans |
|
|
Student 1 |
S.Cd1. |
Data Access |
VL |
H |
VH |
o Defining level of access to whom it may be granted o Not hesitating to ask about technical side of theSaaS provider. |
o conditions should be implemented in the agreement |
|
S.Cd2. |
Instability |
M |
H |
L |
o Data portability should be made carefully and securely. o Situations should be predicted before, if any data losses and many other situations (Caroll, 2014). |
o Encountering changes to the security policies or changes in price |
|
|
S.Cd3. |
Lack of transparency |
VH |
L |
M |
o Security protocols should be cross-checked o Huge compensation agreement will ensure SaaS provider work more effectively |
o DAS should know everything about the IT infrastructure and security system of SaaS provider |
|
|
S.Cd4. |
Identity Theft |
M |
VH |
H |
o Keeping credentials personal and private o Using auto generated password o Identity detection should be latest and updated(Mann, 2012). |
o One Time Password (OTP) |
|
|
S.Cd5. |
Uncertainty to data location |
VH |
VL |
L |
o Keep recovering data on regular basis o Updating data o Deleting unnecessary data |
o Agreement should be made if any data losses, SaaS service provider should pay the compensation |
|
|
Student 2 |
S.Cd6. |
Paying Long-term and upfront |
VH |
VL |
VL |
o DAS should chose smallest service time |
o Post-paid service can be helpful |
|
S.Cd7. |
Agreement made is unsure |
VH |
M |
L |
o DAS should check all the conditions apply and policies of the service provider and check either it meets with the policies of DAS or not |
o Agreement should made by the DAS. |
|
|
S.Cd8. |
How data is actually being secured |
L |
H |
VH |
o DAS should use encryption to the data before sending it to the SaaS service providers. |
o Regular audit on the data that are being saved |
|
|
S.Cd9. |
No direct control over the data |
H |
VL |
M |
o The management should decide which data should be uploaded to the cloud or which should not |
o Only not important data should be uploaded over the Cloud. |
|
|
S.Cd10. |
Do not update with modern security standards |
VH |
VH |
VH |
o Service provider should provide updated security measures |
o The service provider should be reminded again and again to update the security |
Likelihood – VL, L,M, H, VH
Impact- – VL, L,M, H, VH
Priority- – VL, L, M,H, VH
Data Access:Employees if not trained well, might access to the websites that can upload or download malicious coding into the system. This coding has capability to corrupt, manipulate and delete the data and information that are being saved to the database system.
Instability:SaaS (Software as a service) does not show stability of data. Uploading or porting data into the Cloud could be a hassle for the organization and management of the organization, who is responsible for data management. Proper policies should be introduced related to the issue that might affect the security of DAS’s employees (Pfeifer, 2016).
Lack of transparency:SaaS cannot provide transparency of its working to the customers, which raises a concern of distrust on the service provider. Several security questions are being unanswerable to the clients like DAS. This creates an empty space and speculation about the services that are being offered by the SaaS.
Identity Theft: Making payment to this service provider through credit cards is a matter of risk and raise concern towards potential risk it may arises. Identity management can be within the LDAP directions of the company, inside the firewall of the firm, or on the SaaSwebsite of providers in order to make system more secure (Kristal, 2017).
Uncertainty to data location: The data is being stored in the cloud, which is a virtual space to save data and information raises concern about the uncertainty to the location, where the data is being saved. In this case even the headquarters are separated and situated far away from the location of the firm.
Explaining Issues
Paying Long-term and upfront:SaaS does not provide any short-term services, which can be irrespective to the changes made in policies or if an organization does not need any services. After the payment, service is being offered. However, that is matter of security concern for the customers or the clients.
Agreement made is unsure: agreement papers are generally big documented agreements, which in general no one bothers to read or if read properly individual customers might have many problems regarding the security of the information, which is being shared with the third party(Müller & Neumann, 2015).
How data is actually being secured: As stated above SaaS is not agree to expose the security architecture for its services led individuals concerns regarding, whether the data moving to cloud by SaaS will be safe or not safe.
No direct control over the data: Data will be helpless in controlling the data after uploading them into Cloud. After moving to SaaS, DAS will have to completely rely on them for any data or information related to the employee or any operational or transactional details (Smith & Ross, 2014).
Severity of Risk and Threat to Security Employee Data
|
Probability |
|||||
|
Very High |
S.Cd5. & S.Cd6. |
S.Cd3. |
S.Cd7. |
S7. |
S.Cd10. |
|
High |
S.Cd9. |
S3. |
S8. |
||
|
Medium |
S4. &S.Cd2. |
S2. & S.Cd4. |
|||
|
Low |
S.Cd8. |
S5. |
|||
|
Very Low |
S6. |
S.Cd1. |
S1. |
||
|
Severity |
Very Low |
Low |
Medium |
High |
Very High |
|
S.No |
Privacy Threat/Risk of employee data Description |
Likelihood |
Impact |
Priority |
Preventive Actions |
Contingency Plans |
|
|
Student 1 |
P.1. |
Video surveillance |
H |
H |
VH |
o Written document policies should be presented to the employees before recruiting them. |
o Showing disciplinary action within the premises by employees. |
|
P.2. |
Telephone monitoring |
L |
H |
VL |
o Fixed-dialling telephone should be used with the environment of the work. |
o Proper policies can help in restricting employees to make calls that may affect the reputation and performance of the organization. |
|
|
P.3. |
Internet usage monitoring |
L |
VH |
VH |
o Updated and original firewalls, operating system and secured network(Miller, 2012). |
o Training to the employees on how to surf and what to surf on the internet. |
|
|
Student 2 |
P.4. |
Computer monitoring |
VH |
L |
H |
o Original softwares, applications and hardware as per the need should be provided by DAS(Miller, 2012). |
o Blocking domains and restricting usage |
|
P.5. |
Email monitoring |
M |
H |
VH |
o Private messaging websites (portal) for organization’s daily operational activities. |
o Agreement should be made in order to compromising both employees and the organization. |
|
|
P.6. |
VL |
M |
L |
o Bring-your-own-device (BYOD) should be restricted in the office premises or work environments. |
o Training programs and better policies. |
Explain issues
Video surveillance: video surveillance will be beneficial, only with the perspective of the organization but it can affect the privacy of the employees at work places. Video surveillance can help in protecting organizational personal assets but it will also raise privacy concern to the employees working in that environment(Kristal, 2017).
Telephone monitoring:It is another issue related to the privacy of the employees, it could expose the privacy to whom and what an individual is talking. Those conversations may be very personal for the individual, which he or she does not wanted to expose to anyone.
Internet usage monitoring: Organization generally monitors the internet usage of the employee, especially those whose operational activities are connected to the internet (Finkin, 2015). This could lead proper internet usage by the employees at workplaces but will, no-doubt affect the privacy of the individual.
Computer monitoring: Computer monitoring is another general likelihood of several organizations that might affect the privacy of the individuals, as there may be personal media files, which an individual is unwilling to expose to others without his or her permission.
Email monitoring: Email is generally used for personal messages and contains very personal information related to the personal life of the individual, which no one would ever like to expose to an unwanted individual. Accessing this information without the will of the employees exposes their privacy into real world.
New Security Threat to Employee Data (After Moving to SaaS)
Mobile device monitoring: Mobile devices of individual information that can be considered as personal and private information and monitoring this will be against the policies of FERPA and will violate those policies.
|
S.No |
New Privacy Threat/Risk of employee data Description (after moving to Saas) |
Likelihood |
Impact |
Priority |
Preventive Actions |
Contingency Plans |
|
|
Student 1 |
P.Cd1. |
Data and information may be compromised |
H |
VH |
VH |
o Encrypting all the files before uploading to the Cloud o Tokenization of files o Using protected server |
o Involving third party for the system. |
|
P.Cd2. |
Types of information saved |
VL |
L |
L |
o Categorizing data into different groups o Very personal information should not be uploaded (Humphreys, 2016). |
o Suggestions or permission of the employees on which data they want to upload. |
|
|
Student 2 |
P.Cd3. |
Distant location of headquarters |
VL |
H |
H |
o The Data centre should be located near to the organization or should be incorporated within the organization’s place. |
o DAS can ask for headquarter should be situated closer to the offices premises or at least in same city |
|
P.Cd4. |
Malicious virus attack and data breaches |
VH |
VH |
VH |
o Professional and experienced IT team should be incorporated within the management o Using antivirus (Rusinek&Rycx, 2013). |
o External IT team or any experienced individual can be consulted. |
Likelihood – VL, L,M, H, VH
Impact- – VL, L,M, H, VH
Priority- – VL, L, M,H, VH
Explain issue
Data and information may be compromised: After moving to SaaS, the data being saved on the internet becomes more vulnerable to cyber-attacks, which might expose the information of the employees. This information may contain personal information like medical report, qualifications and many more.
Types of information saved: DAS should not upload all the data saved in the database to the Cloud. It should first categorize them and then upload it, as again data breaches may expose the privacy and cause privacy issues to the individuals(Rusinek&Rycx, 2013).
Distant location of headquarters: Distant location of headquarters results in no face to face interaction between the service provider and the DAS management. If any vulnerability occurs there is not any means to shut down whole system.
Malicious virus attack and data breaches: Most concern topic nowadays data breaches and virus attacks, whose results may be unfavourable for both organization and the employee(Müller & Neumann, 2015). These unwanted incidents allow access of the information to the unauthorized users and give them power to manipulate, delete and expose that information. This may include very personal and sensitive information of the employees working in DAS. Various measures have also been proposed in the above table on how to mitigate and eliminate these threats and risks.
Severity of risk and threat to privacy employee data
|
Probability |
|||||
|
Very High |
P.4. |
P.Cd4. |
|||
|
High |
P.1. |
P.Cd1. |
|||
|
Medium |
P.5. |
||||
|
Low |
P.2. |
P.3. |
|||
|
Very Low |
P.Cd2. |
P.6. |
P.Cd3. |
||
|
Severity |
Very Low |
Low |
Medium |
High |
Very High |
Following are the issues because of the digital identity to the employees of DAS while moving towards SaaS.
1.Data breach: Deeply expose of very personal and sensitive information are penetrating various citizens by unauthorized users, which can enable the intruders to make demand of extortion and fraud. This could let to the expose of information about the employees and create many issues to an individual’s livelihood(Müller & Neumann, 2015).
Mass surveillance: Expose of personal and private information that covers large area of population including their data usage that will reasonably pretended to be private.
Individual surveillance: Similar to mass surveillance expose of personal information including the usage data that will reasonably assumed to be private to the private investigators(Abowd, McKinney & Zhao, 2015).
Identity theft: Expose of sensitive information that could allow subsequent impression of the identity can lead to the duplicity of the digital identity and can allow access to that data or information by unauthorized user(Rusinek&Rycx, 2013).
Integrity threats:this includes attacks on cryptographic underpinnings of the scheme: Digital identity can allow access to the scheme private keys in manner that the authentication services would no longer be trusted.
Alteration of data: Alteration of data means either manipulating the data or deleting the information and data, which can be made in order to enable the identity takeover or either, disrupt the services or bring it into disrupt.
This new implementation process could be highly private in order to manage HR and contract managers. Features and capabilities of the organization should be overlooked for the cases those are irrelevant and inappropriate for the data that is being stored into the database system of HR of DAS.
Applicant tracking: Tracking the positions of the employees according to their capabilities can be a solution for these issues.
Performance management: Ability to determine the capabilities of the individual employee and manipulating them towards merging their goals with the organizational goals. It is recommended for this case as it will be suitable for DAS in order to enhance the performance and achieve respective goals(Taylor, Fritsch &Liederbach, 2014).
Offered HRMS software: It will be beneficial in all aspects of DAS, as it will be helpful in offering beneficial activities by increasing their efficiency and saving time during management.
ELearning authoring: this can be considered as an option for the purpose of training the employees that is originated and evaluated by the DAS itself. It will help in providing information and increase awareness among the employees on how to use the latest technology give access publicity(Abowd, McKinney & Zhao, 2015).
Proper certification: In order to take the organization towards its goals, agreement between the workers should be proper and documented. In same manner, for properly functioning and further compensation there should be proper agreement between the SaaS service provider and the DAS.
Concerning the privacy and security about the employees related to the personal information that is being saved on the cloud, both SaaS solution and operational location can be beneficial for DAS. This implementation and changes will help the organization in managing and keeping the personal and sensitive information that is being saved in the database of HR system, private and secured(Rusinek&Rycx, 2013). However, some recommendations can be made in order to mitigate the threats and risks that may cause vulnerability to the information about the employee.
First and most considerable objective about this implementation is that the offered operational solution and location into DAS offers both canned integration and the open APIs. This new implementation also introduced and offered HRMS vendors (and applications), which enables two options for DAS firstly, by making extra payment and secondly, downloading connectors, which are specific for the organizational operations. In order to create integration between the systems, the open APIs allow users to promote this integration.
There are many issues related to the data sensitivity in this case, which are considerable in order to protect the organization’s information and employee’s information. This make it crucial to point out each objective, some of these issues are:
Data sensitivity: data sensitivity includes very sensitive data of an individual like Credit card details, Social Security Numbers (SSNs), bank account details, medical information, educational qualifications and many more. Ne SaaS implementation in DAS could lead serious threats and issues to information like these(Feher, 2016).
Regulations: An examples can be helpful in understanding regulations clearer, the implementation of “how and what data should be saved” is being managed by several jurisdictions towards this approach.Same requirements are not required for different types of data protection, in this case for intellectual property protection and financial protection needs different types of protection for the beneficial aspects of DAS. “This was not stated as regulatory but was affecting directly the requirements that were necessary for the data protection”(Müller & Neumann, 2015).
Data confidentiality: It is another type of issue that is related to the data sensitivity, which states that considering the requirements for different information or data is different, as many of the information needs confidential consider ability but there are also some information that does not needs data confidentiality. Availability of data that is responsible for the continuity of the business and business’s life are very critical.In this case, availability of data related to the business continuity of DAS is much more crucial than any other information.
The substituting and spoofing of the data: This is the last identified data sensitivity issue. Data integrity can be made assured that the spoofing and substituting of data and other matters related to information of employee that can be responsible for the improper behaviour of the system. Not conflating confidentiality of the employee and organizational personal information can be recommended for the DAS in order to maintain privacy and security of the employee.
Conclusion:
Based on the above report it can be concluded that there are various existing threats to the information of the employees working in an organization. Moving towards SaaS implementation by DAS can be beneficial for the organization but there are several threats and risks to this implementation. These threats and risk can cost the security and privacy of the employees working there. This report also emphasis on the privacy and security issues to the employees that will arise after the implication of this new system into the organization. Two severity matrixes have been proposed in this report in order to measure the severity and probability of the impacts those risks may cause to the information of the employees.
References:
Asghari, H., van Eeten, M. J., & Bauer, J. M. (2015). Economics of fighting botnets: Lessons from a decade of mitigation. IEEE Security & Privacy, 13(5), 16-23.
Abowd, J. M., McKinney, K. L., & Zhao, N. (2015). Earnings Inequality Trends in the United States: Nationally Representative Estimates from Longitudinally Linked Employer-Employee Data. NBER Chapters.
Feher, K. (2016). Digital identity: The transparency of the self. In Applied Psychology: Proceedings of the 2015 Asian Congress of Applied Psychology (ACAP 2015) (pp. 132-143).
Felbermayr, G., Hauptmann, A., &Schmerer, H. J. (2014). International trade and collective bargaining outcomes: Evidence from German employer–employee data. The Scandinavian Journal of Economics, 116(3), 820-837.
Finkin, M. (2015). The Acquisition and Dissemination of Employee Data: the Law of the European Union and the United States Compared. Studia z zakresuprawapracy i politykispo?ecznej, 2015.
Frankenberger, K., Weiblen, T., &Gassmann, O. (2013). Network configuration, customer centricity, and performance of open business models: A solution provider perspective. Industrial Marketing Management, 42(5), 671-682.
Gaddam, A., Aissi, S., &Kgil, T. (2014). U.S. Patent Application No. 14/303,461.
Gholami, A., & Laure, E. (2016). Security and privacy of sensitive data in cloud computing: a survey of recent developments. arXiv preprint arXiv:1601.01498.
Heining, J., Klosterhuber, W., & Seth, S. (2014). An Overview on the Linked Employer-Employee Data of the Institute for Employment Research (IAB). SchmollersJahrbuch, 134(1), 141-148.
Hudson, K. L., &Pollitz, K. (2017). Undermining Genetic Privacy? Employee Wellness Programs and the Law. New England Journal of Medicine.
Kristal, T. (2017). Who Gets and Who Gives Employer-Provided Benefits? Evidence from Matched Employer-Employee Data. Social Forces, 1-33.
Kristal, T. (2017). Who Gets and Who Gives Employer-Provided Benefits? Evidence from Matched Employer-Employee Data. Social Forces, 1-33.
Lafuente, G. (2015). The big data security challenge. Network security, 2015(1), 12-14.
Lewis, L. (2013). Digital identity: are students’ views regarding digital representation of’self’gendered?.
Mann, M. I. (2012). Hacking the human: social engineering techniques and security countermeasures. Gower Publishing, Ltd..
Müller, K. U., & Neumann, M. (2015). How reliable are incidence estimates based on cross- sectional distributions? Evidence from simulations and linked employer-employee data.
Pandey, S. C. (2016, October). An efficient security solution for cloud environment.In Signal Processing, Communication, Power and Embedded System (SCOPES), 2016 International Conference on (pp. 950-959).IEEE.
Pfeifer, C. (2016). InTRA-fIRMWAgeCOMPRessIOnAnDCOveRAge Of TRAInIngCOsTs: evIDenCefROMLInkeDeMPLOyeR-eMPLOyee DATA. ILR Review, 69(2), 435-454.
Rusinek, M., &Rycx, F. (2013). Rent?Sharing under Different Bargaining Regimes: Evidence from Linked Employer–Employee Data. British Journal of Industrial Relations, 51(1), 28-58.
Sari, K. (2013). Selection of RFID solution provider: a fuzzy multi-criteria decision model with Monte Carlo simulation. Kybernetes, 42(3), 448-465.
Smith, M., & Ross, A. (2014). Workplace law: Employee privacy: Take care when dealing with records. Proctor, The, 34(4), 42.
Sundararajan, A. (2014). Peer-to-peer businesses and the sharing (collaborative) economy: Overview, economic effects and regulatory issues. Written testimony for the hearing titled The Power of Connection: Peer to Peer Businesses.
Taylor, R. W., Fritsch, E. J., &Liederbach, J. (2014). Digital crime and digital terrorism.Prentice Hall Press.
Zhao, F., Li, C., & Liu, C. F. (2014, February). A cloud computing security solution based on fully homomorphic encryption. In Advanced Communication Technology (ICACT), 2014 16th International Conference on(pp. 485-488). IEEE.
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
