Discuss the specific recommendations that you would make based on your personal experience and research.
The situation in the case study is an example of a data breach incident whereby the information in the database got accessed with no authorization, and then it found its way into the Pastebin website. First and foremost, the firm should get maximum protection of its database by using appropriate antiviruses and antimalware soft wares in its system. For additional security, the firm can also increase the application of strong passwords as well as the use of named user accounts by members of staff dealing with the data (Thomas, 2018).
For assurance, the firm needs to conduct tests regularly and audits to see if there is any vulnerability, proof the security of data and minimize the risks of breaches. ISMS can assist in managing all processes of data security in a single place, cost-effectively and consistently. The employment of programs to monitor the system combined with data loss prevention technology can help in blocking data from leaving the firms network and systems without authorization (Fowler, 2016). The firm needs to understand its system and applications adequately to patch up the loopholes effectively (Jacobs, 2014).
Discuss the impact (from the perspective of various stakeholders) of the lack of access controls and auditing.
The role of access controls is the minimization of the risks of access to valuable data by unauthorized individuals. It is also fundamental in protecting the firm’s system from breakdown especially as a result of viruses and malware. Audits, on the other hand, help a firm to understand its systems strength to withstand attacks and available loopholes within the system that make the system vulnerable to attacks. If these two components of cyber security are lacking, then there can be a loss of confidential data and customer data. In case of a breach and customer data is lost then stakeholders are liable to giving answers especially if affected persons go to court. In case financial data falling into unauthorized hands, there is a possibility of the data getting used against the firm and its stakeholders (Fowler, 2016).
How can technology be used as an enabler and facilitator of effective access controls and auditing?
Technology can be useful to enable effective access controls by using patches and security updating soft wares on servers, machines, and workstations gauge strength of access controls. Protected password technologies like fingerprints and eye scanners can be useful in monitoring the people accessing the data, systems, programs, and cloud applications. The use of user named accounts can also serve the same purpose. Technologies to enable the system’s security and the application access logs should be encouraged. In auditing firms should apply Computer-assisted audit techniques (CAATs) like IDEA, ACL, SQL, and VIRSA to facilitate effective auditing. CAATs ensure that there is coverage for application control review especially in huge databases (Thomas, 2018).
How can you apply the lessons that you learned from the story to your company problem?
The primary lesson from the story is the effects of not doing a comprehensive study of the system a firm is using. I find it essential we conduct a full review of our system and applications to detect any loophole and fix it. The other lesson is the importance of increased use access controls and the user named accounts to control the people accessing our data (Jacobs, 2014).
Fowler, K. (2016) Data breach preparation and response – breaches are certain, impact is not. Amsterdam: Elsevier Science Publishing Co
Jacobs, J. (2014). Data-Driven Security: Analysis, Visualization and Dashboards. Hoboken: Wiley.
Thomas, L. M. (2018). Thomas on data breach: A practical guide to handling data breach notifications worldwide. Eagan, MN: Thomson Reuters