How Data Informs Business: Data Security | Saylor Academy

Policies for the Data Economy

Data Security

On March 22, 2018, the U.S. city of Atlanta was hit by the dreaded SamSam ransomware attack, which brought the city's ICT systems to a halt. Utilities could not collect bill payments, citizens could not pay traffic tickets, the police had to note complaints by hand – the city's digital apparatus essentially stopped functioning and many departments and agencies lost several years of data. Unfortunately, this was not an isolated incident. In India, a journalist was able to obtain unauthorized data from Aadhar, the national digital identification system. And in Mexico, web users were surprised to discover that the voter data of more than 93 million Mexican citizens was easily accessible online even though the information was classified as confidential.

It is evident that "not all data is created equal". Most data is likely of low value, with more limited amounts of medium value, let alone high value. And risk varies across types of data assets too. From a business's perspective, it makes little financial sense to spend as much protecting all assets regardless of their value or the risks they face. Such a requirement could impose a crippling financial burden. At the same time, most organizations lack the skills to properly audit their data assets and thus end up with "orphan assets" littered across systems whose value is less than the cost of controls to protect them. What organizations should focus on, at a minimum, are their "extraordinary assets" critical to them as well as data for which costs or breaches of privacy rights could be significant should the data become public. If protecting everything equally is not an option, taking this risk management approach should safeguard against deprioritizing sensitive data that is of low financial value to a firm that holds it.

A recent report found significant vulnerabilities in more than three-quarters of applications used by the federal government in the United States . Numerous reasons appear to explain this:

Poor data management processes – including inconsistent response, unresolved issues, notification practices, and lack of data encryption practices

Legacy systems and old software – still in use in many government organizations

Poor capacity and skills – due to government's inability to attract top-drawer data-security talent

A low priority afforded to security when making technical infrastructure investments – in a recent study, respondents showed a marked preference for investments in network security and end-point security over investments in data-at-rest security

Data security is not only about ICT; it should also cover "analog" aspects of security (such as vetting of staff and physical access to control buildings). Countries use policies as a tool to manage risks and help respond to actual incidents. Data security policies can be in different kinds of laws, including cybersecurity and data protection laws. Governments have to consider leading by example and applying themselves to strong data security measures, in addition to what they expect from the ICT industry.

The OECD identified the main common principles for information security in their Guidelines for Information Security and Networks in 2002 and updated them in the OECD Recommendation on Digital Security and Risk management; these principles were further spelled out in the Madrid Declaration. They emphasize risk management, awareness raising, having a preparedness and continuity plan to respond to incidents, and adoption of security measures to avoid data corruption, loss, misuse, or unauthorized access. They also highlight stakeholder cooperation, including across borders, given that most incidents have a multi- country footprint. Robust cybersecurity policies, targeting the vulnerability of IT systems, infrastructure, and networks beyond data, should complement data security policies. Different international initiatives have produced or are producing guidelines on cybersecurity.

For consumers, one of the rising trends is to request data breach notifications. Breach notifications can be useful to consumers when their data has been compromised or lost, since a notification allows them to take corrective action as needed. Different countries have different requirements for breach notification, and the main differences are the triggers and timeline for notification. The triggers determine what level of breach is required in order to notify consumers and can rely, for instance, on the sensitivity of the information accessed and the likelihood that it will be misused.

In a report on data-driven innovation, the OECD recommends that organizations establish a systematic framework of digital security risk management processes and weld it together with the data value cycle (figure 6.3). In this framework, the criteria for determining the level of security are based on the acceptable level of risk to the economic and social activities at stake and not the likelihood of threat. Such an approach is premised on the primacy of data as a socioeconomic asset that justifies the move from a culture of security to a culture of risk management.

Figure 6.3 Digital security risk management cycle

Course Introduction

Course Syllabus

Unit 1: Introduction to Data-Driven Decision-Making

1.1: What is Data-Driven Decision-Making?

Data-Driven Decision-Making

Data-Driven Decisions

Project Lifecycle

More on Data-Driven Decisions

1.1.1: Data-Driven Information

Making Data-Driven Decisions

Data-Driven Decision Support

1.1.2: Data-Driven Learning

Process Indicators

Goal-Setting for Achievement

1.1.3: Data-Driven Science

Theory Driven or Process Driven Predictions?

Learn Data Science

1.2: Using Data-Driven Decision-Making in the Real World

Data-Driven Development

Using Data Responsibly

How Data Informs Business

Decision-Making in Management

The Advantage of Digital Decision-Making

The Effects of using Business Intelligence Systems

Unit 1 Discussion

Unit 1 Study Resources

Unit 1 Review Video

Unit 1 Review Slides

Study Guide: Unit 1

Unit 1 Assessment

Unit 1 Assessment

Unit 2: Transforming to a Data-Driven Decision-Making Enterprise

2.1: DDDM Implementation Continuums

Developing an Analytical Mindset

Data-Driven Decision-Making Change Model

2.1.1: Data/Technology

The Data and Technology Continuum

2.1.2: Organizational/People

The Organization Continuum

2.1.3: Process/Workflow

The Process Continuum

2.2: Critical Success Factors

Critical Success Factors

Unit 2 Discussion

Unit 2 Study Resources

Unit 2 Review Video

Unit 2 Review Slides

Study Guide: Unit 2

Unit 2 Assessment

Unit 2 Assessment

Unit 3: The Role of Leadership

3.1: The Role of Leadership

Leadership Needs in the 21st Century

Becoming a Data Driven PM

Embracing Big Data and Data Analytics

3.2: Leadership versus Other Critical Success Factors

Leadership and Innovation

3.3: What Is Effective Leadership?

Effecitve Leaders

Effective vs. Poor Leadership

Leadership Development Practices

Unit 3 Discussion

Unit 3 Study Resources

Unit 3 Review Video

Unit 3 Review Slides

Study Guide: Unit 3

Unit 3 Assessment

Unit 3 Assessment

Unit 4: Types of Data

4.1: Quanitative Data

Qualitative versus Quantitative Data

Characteristics of Qualitative and Quantitative Data

4.2: Qualitative Data

Qualitative and Quantitative Data

More on Qualitative and Quantitative Data

Quantitative versus Qualitative Data Summary

4.3: Big Data

What is Big Data?

Big Data in New Product Development

4.4: Types of Analytics