SUPPLY CHAIN INFORMATION

AND DECISION SUPPORT

SYSTEMS: MSCSCM626
GROUP PRESENTATION
 GROUP 6 MEMBERS

KUSAKARA PEDZISAI C22150892K

MOYO PATRICIA C22151330E

SABUNGU LAZARUS. T C22151616M

MASHIRI TAWANDA C22150734X

MANGWIRO WELLINGTON C22151432Y

 QUESTION 6

Sustainable data security is everyone’s

responsibility. Outline and justify what you
consider to be necessary components of an
organisation’s data security policy.
 Introduction
Supply chain entities have become more dependent on electronic
communication and less on massive file rooms with mountains of
paper which is far much easier to access than before, hence the
need for data storage is more important than ever. This have called
for the need for safe and reliable data preservation through data
security policies. A data security policy is a set of rules and
procedures that keeps an organization's data secure (Peltier, 2016).
All data users throughout an organization must abide by this policy.
A data security policy must incorporate important components
with regard to access, storage, and usage hence the crux of this
presentation.
Definition of key terms
Sustainable data security
Chanda and Kelly (2022) define sustainable data security as investing time,
attention and capital in a way that mitigates risk, minimizes cost an maximizes
effectiveness both now and in the long term. Data security is sustainable when
security resources are implemented in a way that does not degrade the level
of security or deplete over a period of time due to anything that affects the
security of a system, (Chanda, 2021). The presenters understand sustainable
data security as a concept which involves protecting the integrity,
confidentiality, availability, and strengthening of information in the present
and future.
 Purpose

The first essential component of an information

security policy is a defined purpose. Broadly, the
purpose of an organisation’s data security policy is to
protect its essential digital information. An
organisation needs to define its data security policy's
goals in a more focused and actionable way.
The purpose of a data security policy might be any
one or a combination of the following objectives:-
 To clarify an organisation’s approach to information security

 Detecting data security breaches caused by misuse of data, networks, computer

systems, or applications or by improper third-party use,

 Preventing the compromise of organization's sensitive information

 Responding to information security breaches swiftly and effectively

 Upholding organisation’s brand reputation in data security,

 Complying with legal, regulatory, and ethical requirements,

 Respecting customer rights to the privacy of their personal data

 Bolstering an organisation’s ability to respond to consumer inquiries about data

protection, security requirements, and an organisation’s compliance in these
areas
 Purpose cont’d

 The essence of defining a clear purpose for a

company's information security policy enables the
organisation to tailor its security measures to provide
enhanced data protection.
Failure to articulate a clear, concrete purpose for
information security policy runs the risk that security
measures will be unfocused and ineffective.
 Audience and scope

The next essential element of an information security policy is its

audience and scope.
A data policy must specify which users it will apply to and which it
will not apply to. For instance, a business might decide that it will
not include third-party vendors in its information security policy.
The more an organisation broaden the scope of its data policy, the
more its customers understand the difference between the
organisation’s internal employees and its third- and fourth-party
vendors.
In this sence, including third- and fourth-party vendors under the
broad umbrella of the company's data security policy, allows an
organisation to keep a tighter hold on client data and maintain
customer trust.
 Audience and scope cont’d

Another aspect of scope to consider is what

infrastructure the policy will govern. It is important
that the policy covers all facilities, programs, data,
systems, and other technological infrastructure
within an organization, (Bishop , 2013).
To this end, this wider scope of coverage helps the
policy to reduce data security risks.
 Information security objectives

The data security need to consider an organisation’s

information security objectives.
The IT industry generally recognizes three main principles
which are:-
 Confidentiality
 Integrity and
 Availability.
 Information security objectives cont’d

 Confidentiality: A data security policy should keep sensitive

information assets confidential, and only authorized users
should have access to protected information. This can be
achieved by using strong passwords.
 Integrity: A data security policy should preserve data in an
accurate, complete, and fully intact form, and the data
should be operational within the organisation’s IT
infrastructure.
 Availability: The policy should also ensure that IT systems
are available to authorized users when necessary. The data
should be available continuously and reliably.
 Authority and access control

An information security policy should indicate which

members of an organization have the authority to limit
access to data.
These people should be trustworthy employees with
enough data security insights to make correct decisions
about what information is shareable and what is not.
The extent of permissible data sharing may not be entirely
the organisation’s decision to make. For instance, at Coca
Cola only three individuals have access to the formula of
the company’s beverages.
Authority and access control cont’d

An organization's hierarchy plays a key role in access

control whilst lower-level employees mostly do not
have the insights or authority to grant access to
others, so they should generally avoid sharing the
data they have access to.
Higher-level managers and executives with more
comprehensive insights into the company's overall
function have usually earned the right to grant access
to information as they see fit.
Authority and access control cont’d
An organisation must sufficiently have controls to allow
authorized access and deny unauthorized access. Classic
examples of such measures such as:
 Personal Identification Numbers (PIN)
 Strong password requirements
 Biometric measures such as fingerprint access devices
 Frequent password updates
 ID cards
 Access tokens
 Swipe cards
Authority and access control cont’d

To this end, having authorisation and access control protect an

organisation from unauthorised use of data especially by laid
off employees.
 Data classification

Classification of data is an essential element of an organisation’s

data security policy.
Most organisations classify data by security level. "Public,"
"Confidential," "Secret," and "Top Secret." are typical classes
that may be assigned.
Other organisations use hierarchies such as Level 1, Level 2,
Level 3, Level 4.
To this end, under these classification systems every level of
non-public data would require some form of protection, with
higher tiers or top secret requiring more stringent security.
 Data classification

Data classification is of paramount importance since it

provides the basis for laying out the measures
necessary to protect the data to the required level.
 Data support and operations

Data support and operations include the measures an

organisation will implement for handling each level of classified
data. There are three primary categories of data support
operations:
 Data protection regulations,
 Data backup requirements and
 Movement of data

 
Data protection regulations

 These are standards an organisation put in place to protect personally identifiable

information and other sensitive data.

 Organisations mostly align these standards with any applicable industry

compliance standards and local regulations. Most security standards and
regulations require at least a firewall, data encryption, and malware protection.

 Data backup requirements

 An organization will also need to generate secure data backups. The backups need
to be encrypted and have the backup media securely stored. In addition, there also
need for a Disaster recovery plan which spells out how the organisation protect
against data losses in the event of calamities such as fires, natural disasters etc.

 Movement of data
 An organisation should ensure data security whenever it moves its data. The policy
outlines the secure protocols to be followed when transferring data.
 Security awareness and behavior

The data security policy highlight the strategies the

organization will need to implement in an attempt to heighten
its security awareness and prevent security breaches.
It may need to encourage specific employee behaviours to
bolster that awareness and thwart attacks and losses.
Some companies have their employees sign some declarations
requiring them not to divulge business information. Some
government departments workers make such declarations
under the Official Secrets Act.
This prevents leakages of information to unauthorised
individuals and companies.
Responsibilities, rights, and duties of personnel

The final component of an organisation’s data security policy

should outline the staff members' rights, responsibilities, and
duties regarding data protection since it is the responsibility of
all members to ensure data security.
This component allows an organisation to give employees some
responsibilities by designating certain individuals to perform
access reviews, educate other employees, oversee change
management protocols, handle incidents, and provide general
oversight and implementation support for information security
policy, (Schuster et al., 2015).
Responsibilities, rights, and duties of personnel cont’d

This allows clear definition of personnel

responsibilities and duties, and also a clarity on
employees’ rights and authorizations they have.
In essence, this will help an organization to avoid data
management errors that could pose severe security
risks.
REFERENCES
Bishop, J. (2013). The effect of de-individuation of the Internet troller on criminal
procedure implementation: An interview with a hater. International journal of cyber
criminology, 7(1).

Chanda, D. (2021). Principles of Sustainable Cybersecurity. Retrieved from: https://

www.bankingfosecurity.com/blogs/principles-sustainable-cybersecurity-p3127.

Chanda, D and Kelly, D .(2022). How to put cybersecurity sustainability into practice:
Retrived from
: https//www.techtarget.com/searchsecurity/tip/How-to-put-cybersecurity-sustaina
bility-into-practice
.

Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards:

guidelines for effective information security management. CRC Press.

Schuster, F., Costa, M., Fournet, C., Gkantsidis, C., Peinado, M., Mainar-Ruiz, G. and
Russinovich, M., (2015). Trustworthy data analytics in the cloud using SGX. IEEE
symposium on security and privacy (pp. 38-54). IEEE