Importance of data and information security to organisations (3)
- Safeguarding business operations
- Mitigating financial loss and reputational damage
- Compliance with legal obligations
Safeguarding business operations
Reliable data and secure information systems allow an organisation to function without disruption.
Protecting against threats ensures business continuity and minimises downtime.
Mitigating financial loss and reputational damage
Data breaches or corruption can lead to direct financial costs (e.g., fraud, recovery expenses) and indirect costs through loss of customer
trust.
Reputational damage can reduce customer loyalty, partnerships, and market share.
Compliance with legal obligations
Organisations in Australia must comply with laws such as the Privacy Act 1988(Cwth), the Australian Privacy Principles (APPs) and Australian
Consumer Law to protect personal data.
Failure to do so can result in legal penalties, investigations, and corrective orders.
Effectiveness measures for data and information security strategies
CIA
Confidentiality
Integrity
Availibility
Confidentiality
Only authorised people/systems can view the data
Integrity
Data is accurate, complete, and only changed in valid, authorised ways
Availability
Data/systems are accessible and performant when needed
Types of threats
Accidental
Deliberate
Event Based
Accidental Threats
These are threats that are unintentional and unexpected.
* User Error
* Power loss (not event based)
* Hardware/Software malfunction
* Hardware loss
* Lack of security or knowledge
Deliberate Threats
These are threats that are created to cause loss or damage to the data
or information system.
Malware
Phishing
Hacking
Denial of Service attacks (DoS)
Thief
Malware
Designed to either damage, disrupt or gain unauthorised
access to an information system
incl. adware, bot, bug, keylogger, ransomware, rootkit, trojan, virus, worm and spyware
Event Based threats
Threat to data and information that is a result of a natural
event.
* This includes fires, flood, heatwaves, storms and earthquakes
* Power Surges are considered one type of event based
Security Controls
Is a measure designed to protect data and information form threats, either
accidental, deliberate or event based
Do not guarantee that the data and
information will be fully protected
Reduces the chances of unauthorised access and/or data loss.
5 groups of security controls and procedures
Hardware Controls
Software Controls
Physical equipment
Procedures
Electronic measures
Hardware Security Controls
Are hardware-based measures that are used to protect data and
information
* Biometrics
* Uninterrupted Power Supply (UPS)
* Firewalls
* Network intrusion prevention systems (IPS)
* Backup servers and NAS devices
Software Security Controls
Are software-based measures that are used to protect data and information.
* Usernames and passwords
* Access Logs
* Audit trails
* Access restrictions
* Encryption
* Firewalls
* System protection
* Security protocols
* Data Loss Prevention (DLP) Tools
* Two Factor authentication
* Security Information and Event Management (SIEM)
Physical Equipment
Are physical measures that are used to protect data and information.
* Fences and gates
* Bars on windows
* Doors with locks using swipe cards, password touch pads, active badges, voice
recognition and biometrics
* Guards
* CCTV
* Security badge systems: Limit access to sensitive locations.
* Secure storage cabinets and safes: Store portable drives, backups, and
sensitive documents.
* Fire suppression systems
Electrical Measures
- Firewalls (software-based): Control traffic flow between networks.
- Intrusion Detection Systems (IDS): Monitor for suspicious activity.
- Network segmentation: Isolate sensitive systems from the rest of the network.
- End-to-end encryption (E2EE): Prevents interception of transmitted data.
- Automated alerts and monitoring dashboards: Notify security teams of anomalies in real-time.
- Two-factor authentication (2FA) and biometric logins: Strengthen user verification.
- Virtual Private Networks (VPNs): Secure remote access via encrypted connections.
- Zoned security strategies
Common Signs of intrusion
- increased use of system resources
- new software installed
- changing passwords
- sending of spam email
- unknown applications requesting access
- system protection software uninstalled
- a device completing tasks by itself
*changes to a web browser home page
Other issues to consider regarding data security
- Out of date software (old software can have security leaks/loopholes)
- Digital signature (authentication technique)
- Ethical hacking (identify weaknesses)
Consequences for security failure
- Loss of customer loyalty
- Penalties and prosecution
- Loss of trade secrets to competitors
- Decline in stock market value
- Loss of productivity
- Inability to pay staff and suppliers
- Loss of income
- Costs, labour and disruptions to recreate data and repair or replace equipment
Evaluation Criteria: Confidentiality
- Unauthorized Access Prevention: Does the strategy effectively block
unauthorized individuals from accessing sensitive data? - Data Leakage: Is there evidence of data leaks or breaches?
- Encryption: Is data properly encrypted both at rest and in transit?
- Access Controls: Are access permissions properly managed, and is access
restricted to only authorized personnel? - Data Minimization: Is only the necessary data collected and retained?
Evaluation criteria: Integrity
- Data Tampering: Is data protected from being altered, deleted, or corrupted by
malicious actors? - Data Accuracy: Are there mechanisms for data validation and verification to ensure
accuracy? - Audit Trails: Are comprehensive logs and audit trails maintained to track data
changes? - Version Control: Does the system support data versioning to detect unauthorized
changes? - Error Handling: Are effective error-handling mechanisms in place to correct
accidental data issues?
