Running head: DATA BREACH RESPONSE POLICY 1

DATA BREACH RESPONSE POLICY 6

Data Breach Response Policy for France Incorporated.

Student Name

Liberty University

Studies in Information Security, CSIS 340

June 11, 2018

Data Breach Response Policy for France Incorporated.

Overview

The data breach response policy considers all the technological structure set up and run by France Incorporated including computer systems, networks, clouds that are used to save, send, and receive data from and by the company. It also considers affiliates, vendors that use the network and third-party companies that supply technological services to France Incorporated. With data breaches becoming a trend, companies must assure that regulations are in place to prepare for such eventuality. The problem lies in the frequency that it keeps happening with technological advancement. According to Telang (2015), since 2005, the United States documented more than 4,400 data breaches affecting about one billion records. The gravity of the impacts has pushed the company to study the area affected and the proper protocol in place that must be implemented for a swift and successful control, and containment.

A team of professionals composed of IT and IS employees will provide proper instruction and information to employees. They will also create a guideline to prevent former employees from accessing company data. The second part of this guideline will include directives for current employees to prevent unauthorized access and educate them on the ways to minimize unwanted intrusion. Lastly, a protocol will also apply to third parties, vendors, and affiliate that access our network at any point during their visit.

Purpose

The primary purpose of the policy is prevention; however, it is aimed to regulate procedures on how to communicate, evaluated and assess data breaches and the proper protocol to follow until resolution. From the moment the breach is suspected or confirmed either from unauthorized access or utilization, the policy will elaborate on the different action and strategy to be applied depending on the intensity and importance of the breach. The policy will also confirm the conditions, enumerate the different category of a breach, proper applicable protocols, and the duty of all who are concerned.

The policy will also assure that all personnel is informed enough to be part of the prevention and help identify a problem. As stated by Flowerday and Tuyikeze (2016), this protocol can also help distinguish employee behaviors from authorized to unauthorized and sanction them accordingly. They reaffirm that the purpose of the ISO/IEC 27002 (2013) which encompasses the data breach response policy is to equip, maintain, and orientate business management with business requirements and regulations when faced with information security.

General Objective

France Incorporated understand the importance of all collected and saved data. Management also sees the risk having this data accessed by employees, affiliates, or outsourcers. Thus, why it is mandatory for all department to firstly abide by the rules which will clearly state where to report potential threats, breach and how to rapidly address the situation. Moreover, with the help of IT and IS department, regular and consistent monitoring will take place.

Protocol

Any IT, IS personnel, or any other employees that encounter situations where theft of data, unauthorized access, download, disclosure, or usage of company data is suspected, took place or is planned, must promptly send an email to our dedicated Information Security department at [email protected] explaining the situation, or they can contact us at 111-222-3333. Once the department receives the information, a complete investigation will take place. Moreover, in the case of a breach, the department will deploy the appropriate rules and procedures for fast resolution and send the report to management for proper actions or sanctions.

Scope

As stated above, the data breach response policy applies to all personnel, partners, associates, and visitors who access, utilize, save, distribute the data of France Incorporated. The range also covers personal and company devices. Anyone and any device that accesses our network will automatically fall under the scrutiny of this policy and appropriate legal and safety actions and sanctions from France Incorporated.

Policy Compliance

Initially, France Incorporated will set up a level of access guaranteeing that only appropriate person can access specific data depending on their position, the need for the data and their level of clearance and security. The IT and IS team will closely monitor every usage and access. This rule will prevent unauthorized users from obtaining unapproved data and will also help track the user, the time and the reason.

From the moment a breach is suspected, analyzed, or confirmed, our IT and IS team will automatically deny access to the intruder, and the location of the unauthorized access and details about the breached data will be activated. A team constituting of members from different departments such as IT, IS, legal, Human Resources will evaluate the situation for proper actions and apply the already elaborated damage control procedures.

Findings

Authors Kim, Johnson, and Park (2017) explained that for the most part that security or data breaches involve loss information or illegal use of consumers credit card. However, for businesses like France Incorporated which data constitute customer sensitives and private information primarily, security and data breaches is as essential and as devastating to their brand and image. As much as technology is widely used, convenient and revolutionizing the business world, it also comes with challenges such as data breaches that can produce havoc and damage a company’s reputation.

The importance of this policy is better explained by authors Flowerday and Tuyikeze (2016) who stated in their research that information security policy helps management distinguish employee patters. From these patterns, further research can then help categorize permitted actions and unauthorized actions; and from the accumulated data, companies can work on sanctions according to the unwanted actions. They also pointed out that with the help of the ISO/IEC 27002 (2013) management now has rules to aid in compliance with company policy to better protect their data.

All company computers contain the latest version of anti-virus and frequent scans will take place automatically to prevent intrusion. Access to social media website and other unrelated work sites will also be blocked from employee computers’ and under no circumstances, employees should refrain from using external drives or thumb drives; they must also refrain from bringing personal computer or access company’s network on such devices.

The IT and IS department must encrypt all data saved on company devices or the cloud. Clear separation of regular data from sensitive data is needed so the latter can be securely filtered and properly handled. As previously stated, the IT and IS team will select a team of four trained technicians to train, guide, and assist employees, so they know how to handle sensitive data better.

Related Standards

The Team

The primary concern about the data breach response policy is that the proper team is already available for fast response and resolution. It is counterproductive to have a policy in place and not the trained personnel. As the technology evolves so are hacking and breaches techniques. Even though is it costly to hire, train and provide continued training, France Incorporated vowed to set proper budget in place, and with the help of the Information Security director, a plan will be elaborated to provide initial and continued training.

Internal Training

A trained information security team cannot hold the weight of control without the support of regular employees. Thus why, France Incorporated will also make sure that a representant of the Information System team holds a meeting twice a month to go over regulations, possible problems that can arise from negligent or careless behavior and a detail presentation about our policies, implementations, sanctions to minimize the chance of a breach. Visitors, vendors, and affiliates will also be under restrictions and sanctions.

As stated by authors Such, Gouglidis, Knowles, Misra, and Rashid (2016), precise information about internal policies should be available and presented in a simplified way for faster assimilation by employees. The representant from the IS and IT department must methodically explain the fundamental concepts and reasoning in a way to encourage participation and not forced adherence. Uniform and logical steps and protocols are to be in place to prevent confusion and non-adhesion.

Definitions

Data Breach: Situation where sensitive and private data have been accessed, modified, or deleted without prior authorization.

Unauthorized Access: The viewing of private, confidential, and sensitive data without permission.

Safeguard: structure in place by the company with conjuncture of the IS and IT department to secure and identify, prevent, decrease data breach.

Encryption: coding of a data to prevent readability without decoding key.

Sensitive data: Data in the hands of the wrong group that can cause harm to an individual, a group, or company.

Terms

Sohrabi Safa, Von Solms, and Furnell (2016) reminds us that the Internet is a vast network; therefore, the risk of breaches is imminent. Hackers and unauthorized users employ different techniques as the technology evolves and these techniques exploit confidentiality, integrity, and availability of information. Moreover, for that, users and companies must first be always aware of the constant change, danger, and risks. That is why the first step for France incorporated is to bring awareness to its employees and affiliates regarding the risks, the rules, and the proper steps. Secondly, the company will have its IT and IS team receive frequent training to keep up with the changes. The Information Security with the help of the legal department will go over the clear distinction of user privilege, and level of access and what information can be accessed and under which conditions. They will jointly come up with the guideline that indicates how to dispose and encrypt data properly, report a potential or actual breach, where to submit the breach report, and the team that will be assigned the case. Upon investigation results, the team will relay the information to the legal and human resource department for sanctions, disciplinary process, and legal damage control.

Summary

No matter the company, regulations, and protocols are valuable because they set the difference between a company that is ready and one that wishes they do not have to deal with a data breach. Misinformation about the data breach being about consumer credit card is common and as briefly mentioned earlier. However, it is clear that sensitive information is a broader concept that goes from employees’ information to clients’ information. As long as the information contains data that can be valuable to someone else or can cause harm to the owner if placed in the wrong hand, it is worth protecting. It is not enough for companies to have procedures or rules and not implement them. Furthermore, regulations will not suffice if they do not have a trained and knowledgeable team that is aware of the danger and risk and are always involved in keeping with new trends. It is in the best interest of a company to invest in security protocol, training, and continued training. Technology will not stop evolving, as convenient as it is, one misstep can jeopardize a company’s future; besides, it is more costly to fix a reputation than to invest in prevention.

References

Data Breach Response policy. (n.d.). Retrieve from https://www.sans.org/security-resources/policies/general/pdf/data-breach-response

Flowerday, S. V., & Tuyikeze, T. (2016). Information security policy development and implementation: The what, how and who.
 Computers & Security, 61, 169-183. doi:10.1016/j.cose.2016.06.002

Johnston, A. C., Warkentin, M., McBride, M., & Carter, L. (2016). Dispositional and situational factors: Influences on information security policy violations.
 European Journal of Information Systems, 25(3), 231-251. doi:10.1057/ejis.2015.15

Kim, B., Johnson, K., & Park, S. (2017). Lessons from the five data breaches: Analyzing framed crisis response strategies and crisis severity.
 Cogent Business & Management, 4(1) doi:10.1080/23311975.2017.1354525

Sohrabi Safa, N., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations.
 Computers & Security, 56, 70-82. doi:10.1016/j.cose.2015.10.006