Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

Tsai Advanced Technology, Inc. (TATI) is a fictional multi-national company prov

ID: 3681771 • Letter: T

Question

Tsai Advanced Technology, Inc. (TATI) is a fictional multi-national company providing outsourced financial services to a variety of clients across many industries, including commercial and government entities. TATI specializes in billing and invoicing services, in which TATI receives relevant data from its clients and processes the data to produce the invoices, monthly statements, and other billing items that are sent to TATI's clients' customers. TATI employees serve the company's customers both on-site at customer locations and while working in TATI facilities. TATI employees routinely store data related to multiple clients on their company-issued laptops. TATI's Chief Information Officer, having read of the numerous data breaches reported among commercial and government organizations, has become concerned about the risk to TATI's customers and potentially the company's reputation if TATI were to experience a similar breach. He has tasked you, the Director of Information Security, to create a new corporate policy regarding the protection of client and company confidential data stored on employee computers, particularly including laptops. Respond to each of the following, taking into account material we have studied in this course regarding threats and vulnerabilities. Cite these and other pertinent sources used in your answer. Be specific and briefly but fully explain and give reasons for your answers. a. Summarize the primary vulnerabilities and potential threats that exist for TATI related to the practice of storing sensitive data on laptops. Use your answer to clarify the difference between vulnerabilities and threats (if there are any). In your opinion, which of the risks TATI faces are most significant to the company? b. What measures would you propose to senior management to try to prevent a breach of data held by TATI? Your response should include recommendations for mitigating vulnerabilities identified in part (a). c. Discuss the key characteristics of a policy statement and write one specifying employee and company responsibilities for protecting client and corporate data, such as the data stored on employee laptops. Be sure to address requirements for protecting the data from theft, and for rendering the data unusable should it be compromised.

Explanation / Answer

a)To understand the challenge that increasingly distributed and mobile businesses face in protecting sensitive information, Cisco commissioned third-party market research firm InsightExpress to conduct a study with employees and IT professionals around the world.

As part of the study, surveys were conducted in 10 countries that Cisco selected because of the differences in their social and business cultures.

In each country, 100 end users and 100 IT professionals were surveyed, producing a total of 2000 respondents.

The research discovered that despite the security policies, procedures, and tools currently in place, employees around the world are engaging in risky behaviors that put corporate and personal data at risk. Employee behaviors included:

Unauthorized application use: 70 percent of IT professionals believe the use of unauthorized programs resulted in as many as half of their companies' data loss incidents.

Misuse of corporate computers: 44 percent of employees share work devices with others without supervision.

Unauthorized physical and network access: 39 percent of IT professionals said they have dealt with an employee accessing unauthorized parts of a company's network or facility.

Remote worker security: 46 percent of employees admitted to transferring files between work and personal computers when working from home.

Misuse of passwords: 18 percent of employees share passwords with co-workers. That rate jumps to 25 percent in China, India, and Italy.

To reduce data leakage, businesses must integrate security into the corporate culture and consistently evaluate the risks of every interaction with networks, devices, applications, data, and of course, other users.

If it is any multinational company not only TATI Follow the above rules.

b)Unfortunately there is no single thing an organization can do to protect themselves and their customers data from a breach.

There are, however, a number of things that when combined, work together in limiting the value of the data that could be stolen:

c)

The proliferation of office printers, copiers, fax machines, email, laptop computers, personal digital assistants (PDAs), smartphones, and portable storage devices has allowed for dissemination — accidental or intentional — of information in quantities never before imagined.

Thus, the challenge for organizations is not just in keeping track of the ever-growing mountain of new information being produced each year, but also monitoring and managing the archives. Putting clear policies in place and effectively enforcing them are essential.

Privacy is increasingly becoming an important business issue. Nearly every state in the U.S. has enacted a data breach notification law.

These laws require businesses to notify consumers of breaches of security. Many of these laws may impose additional obligations upon businesses.

Data breaches can cost companies millions of dollars per incident in direct costs, such as notifying victims. In addition, the public relations fallout from a data breach can be significant. Corporate reputations can suffer tremendously.

Furthermore, lawsuits against firms for negligent handling of personal information are becoming more common. Some states have passed laws allowing individuals to sue organizations that fail to safeguard their private data.

Federal statutes and regulations also permit government agencies to sue organizations over data breaches and other failures. Even if your organization prevails, litigation costs can be substantial.

Many employers are imposing new restrictions on who can take confidential records out of the office and are providing special training on how to keep data secure.

Workers found violating security policies are being disciplined, or even dismissed. So whether or not a company is cracking down on computer security, employees should consider protecting themselves.

Experts say it’s wise to check your company’s policy or urge such policies be adopted or clarified.

Companies using outside vendors to collect, store, process, transmit, or destroy their data should investigate their vendor's privacy and security policies and practices, delineate the vendor's specific obligations (rather than simply stating that the vendor will comply with all applicable laws), and perform privacy audits on vendors.

Additional concerns exist when employees are allowed to use their own mobile electronic devices (laptops, tablets and smartphones) for both personal and work purposes. PRC's Fact Sheet 40: "Bring Your Own Device . . . at Your Own Risk"addresses some of these concerns.

Using This Checklist

This checklist provides an overview of key points to consider when preparing information-handling policies and conducting privacy audits within your organization.

The checklist can be used by private, public and not-for-profit organizations alike. Not all points will be relevant to your organization.

Some situations may require you to take more stringent steps than those listed here. For example, medical records may necessitate extraordinary steps.

The checklist is divided into two sections.

Section I suggests issues to consider when drafting privacy principles to safeguard the personal information of your clients and customers.

Section II concerns privacy policies affecting your employees, such as personnel records, electronic monitoring, and email.

Understand that this is not an issue you can address once and have solved forever. Threats will change, technology will change, and employees will change. So your plans and processes should change along with them. Updates are crucial.

No one is immune. While some companies have data collection as their core business, all firms collect information on their clients, customers, and employees.

Don’t wait until a computer goes missing to think about what actions to take. Develop a complete checklist now.

Section I. DEVELOPING PRIVACY POLICIES TO GUIDE CUSTOMER / CLIENT RELATIONS

A. Organizational Policies

Does your organization have policies that outline its privacy practices and expectations for handling the personal information of its clients, customers, users, members and/or listees?

Are your organization's privacy policies communicated regularly? Opportunities include in employees’ initial training sessions, in regular organization-wide training programs, in employee handbooks, on posters and posted signs, on company intranet and Internet Web sites, in brochures available to clients.

Are all employees who handle personal information included in the training programs, including temporary employees, back-up personnel, and contract staff?

Is your organization familiar with and has it adopted International Standards Organization (ISO) security standards? www.iso.org The ISO 27000 series of standards have been specifically reserved by ISO for information security management.  

B. Privacy Principles

The major components of effective privacy policies are listed below, adapted from the fair information practices developed by the Organisation for Economic Cooperation and Development (OECD)

Another useful compendium is the Canadian Privacy Code under the federal law, Personal Information Protection and Electronic Documents Act .

Although designed to guide the development of national privacy legislation, these principles are also appropriate for organizations.

Openness. A general practice of openness about practices and policies should exist. Means should be available to establish the existence and nature of personal information and the main purposes of its use.

Purpose specification. The purpose for collecting personal information should be specified at the time of collection. Further uses should be limited to those purposes.

Collection limitation. Personal information should be collected by lawful and fair means and with the knowledge and consent of the subject. To the greatest extent possible, companies should employ principles of data minimization, that is, collecting only data that is actually necessary to conduct their business, and collecting such information only for the stated purpose.  

Use limitation. Personal information should not be disclosed for secondary purposes without the consent of the subject or by authority of law.

Individual participation. Individuals should be allowed to inspect and correct their personal information. Whenever possible, personal information should be collected directly from the individual.

Quality. Personal information should be accurate, complete and timely, and be relevant to the purposes for which it is to be used.

Security safeguards. Personal information should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure. Access to personal information should be limited to only those within the organization with a specific need to see it.

Accountability. Someone within the organization, such as the chief privacy officer or an information manager, should be held accountable for complying with its privacy policy. Privacy audits to monitor organizational compliance should be conducted on a regular basis, as should employee training programs.

There are many variations of fair information principles (FIPs). For an overview of FIPs, read our guide, https://www.privacyrights.org/content/review-fair-information-principles-foundation-privacy-public-policy. See also Web site “seal” programs such as TRUSTe at www.truste.com, and BBB Accredited Business Seal athttp://www.bbb.org/us/bbb-online-business/

C. Data and Network Security

Security of personally identifiable information—whether stored in electronic, paper or micro-graphic form—is covered in many websites, books, journals, trade magazines, and conferences.

Related Questions

Trying to improve the techniques I use in the classroom and reduce the anxiety o
Question #3378608
Trying to learn please answer clearly with step by step instructions for both pa
Question #3560250
Trying to make a Reverse Polish Calculator with a double linked list but I am so
Question #3757186
Trying to make a half arrow. This is what I have, but it won`t compile correctly
Question #3848458
Trying to make a program that where the user inputs any characters and numbers f
Question #3755326
Trying to make a program to convert infix to postfix in c++. I am stuck here try
Question #3798263
Trying to make an application, ideally cross-platform but it\'s not required. I
Question #660395
Trying to make corrections. Thanks a lot! A charge+4 MewC is fixed at the origin
Question #1423084
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
TsIzzWe (Ts) is a company that purchases T shirts from the manufacturer, Frootyl
Next
Tsqsq be hada stasepa & ne 10 babienq nege sd3 mi mens were stisw .YAea Mnoge91

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.