Business Finance Homework Help

Discussion Prompt

Chapter 7 of the DAMA-DMBOK describes various types of security risks and threats that could harm an organization but also provides some security measures and tools that can be used to minimize the loss or harm done to your organization. Please answer both questions below:

1- Please describe a security threat that has happened at your organization or one you closely follow and describe how that impacted business. If there are no security threats that you’re aware of, what are some vulnerable areas that pose a security risk to your organization and how would that impact business if that area was negatively affected?

2- Please describe what could be done to reduce the danger of the threat or risk.

First one:

1. One security threat that has happened to us is almost having the list of students who were on quarantined shared with parties that should not have had access to that data. Currently that list is housed on a google sheet and is only intended to be shared with a few people, teachers not included. Because it was a new system that was implemented this year and our new office staff didn’t go through extensive training around security and certain protocols they were not aware of the severity of sharing this information. Fortunately it was addressed right before it happened by our office manager. It was an eventful morning to say the least because everyone in that office realized that if it had been shared when all staff then the school would have been in a bit of trouble.
2. To avoid this potential breach there is allot that could have been done and although I really appreciate and enjoyed reading chapter 7 of the Dama book, I would say we would need to take some foundational steps before we start getting into the more complex security measures describe. First, I would recommend creating a list of who has access and who can share this information, so that it is kept track and monitored. Then I would recommend a policy that describes clear steps on how to handle, distribute, and even store data as it gets updated. This will allow the leading data steward to understand and also monitor the flow a bit. Finally, I would recommend that we use a coding system to identify students so that if the data was breached it would only show the codes that align to each student. Only a few people would be able to identify them through another system that could be created.

This was a good activity to think through as it made me realize there is always so much more that can be done to improve data security.

Second one:

Data security is a priority at my institution. We do our work on college-issued password-protected laptops, and all of our software uses multiple factor identification (Duo). While these security measures have protected us from threats so far, potential staff actions still make us vulnerable to data risks.

While we have a pretty comprehensive CRM that we can use to accomplish most of our work, a lot of our staff still has the need to export data into Excel for some analyses throughout the admission cycle (from identifying schools with a high number of inquiries or prospects within a recruitment region, to managing school groups during our admission process, etc.) The risk is reduced if we work under the assumption that staff are only using their work computer to do this, but in reality I’m not sure that we can be 100% certain that’s always the case.

I can think of a few things to reduce this risk:

1- Staff receive data security training as part of on-boarding, but since this is an HR requirement it tends to be pretty general. My department could create a follow-up training for new staff that tackles specifics of our work and our CRM.

2- We could craft a department-specific data security policy that specifies that staff are not allowed to use their personal devices for work, or in cases in which they need to export data from our system.

3- Our CRM has querying and reporting functions, and while my colleagues are pretty comfortable with the basics of the former, most of them have not learned advanced querying or reporting functionality. Training on these modules of our CRM could help staff make the most out of our data without needing to pull it out of the system.