Recent years, internet security becomes the main concern for corporations and individual users. Both of these groups should pay a special attention to threats and vulnerability related to sensitive data. Briefly, this covers information about the Data Subject’s: racial or ethnic origin; political opinions; religious beliefs or other beliefs of a similar nature, billing and banking information and financial loans, income data. In this case, it is possible to distinguish two types of threats: internal and external. Internal threats include damage of laptops and disclosure of personal information by employees. External threats are hackers and data thieves. Because the data does hold must be accurate, it is worth thinking from the outset about how managers are going to keep it that way. This starts with deciding what information to collect and how to get it.
The main threats to Internet security are malware, spyware, viruses, Trojans, worms, bots and direct hacker attacks. Each of these threats can lead to data abuse and invasion if personal life of people and corporations. Security must be seen in the context of wider organizational policies. Many aspects of security will be taken care of by, for example, the IT department or its equivalent. However, high level security provision on its own is not enough; the systems have to work in practice (Carr 28). The Data Protection Principle makes this clear, by requiring that security measures be ‘technical and organizational’. Technical measures are relatively easy to provide: password systems, back-up systems for computers, locks on filing cabinets, and access control either to the building or to key parts of it are all routine (Pfleeger and Pfleeger 87). In addition to strict organizational policies, GCI should introduce such technical precautions as disk encryption, file encryption and portable media encryption. Also, individual users and corporations should maintain a perimeter security system. This system consists of firewalls, intrusion detection systems (IDS) and anti virus measures installed on each laptop. Specific issues may arise where a Data Controller feels the need to monitor the behavior of staff or members of the public. Individual users and corporations must be careful only to provide the information to the right person. This means that individual users and corporations should ask for information to verify their identity. Individual users and corporations may also ask for information to help individual users and corporations locate their records (Carr 76). Corporations might, for example, want to ask what part of organization they originally dealt with, or the approximate date they were last in contact. A Subject Access request is not valid until employees have received any of this information a corporation needs, but can only ask for ‘reasonable’ information. The first line of defense is therefore to ensure that staff are aware of the possibilities and operate within a culture where information, and especially personal data, is handled carefully and responsibly. To support them, corporations should take measures that make it as easy as possible for them to do the right thing. At the same time you should not be over-anxious (Pfleeger and Pfleeger 73).Want an expert to write a paper for you Talk to an operator now
The second step in the network security requirements is actions taken against ‘unauthorized’ processing. In global and national corporations, the staff must therefore not use data in any way that they are not permitted to, and they must not disclose it to anyone else who is not permitted to have it. But in order for this to make sense, someone has to do the authorizing. Unless there are clear guidelines on what is permitted, staff cannot be expected to comply. The case study says that all processing must be ‘compatible’ with the purpose(s) it was obtained for. Therefore, in deciding who is authorized to see any particular type of data, it is important to think about what type of access is compatible with the purpose (Carr 62). The personnel department may, for example, hold sensitive data about staff members which it is not appropriate for their line managers, or even the Managing Director to have access to. If IT professionals are in a situation where they are routinely expecting to share information with other security departments, the arrangements should be put on a formal basis, setting out the types of information to be shared, the purposes, and any mechanisms that will be applied to ensure that the data is handled securely (Larose and Rifon 127).
This means that users must hold enough data but, importantly, not too much. The biggest risk to security is almost always the company’s own staff. The damage they do can be deliberate—stealing information about people, such as business contacts they want to use for their own purposes, for example, or trashing the database out of frustration on being demoted (Nehf 351). More often it is un-thinking or inadvertent—giving information over the telephone to someone who should not have it, leaving confidential files at home for a neighbor to see when they are working at home, or chatting in the canteen about a user’s borrowing habits where other people can overhear. External threats are more serious and difficult to prevent. One area that often gives rise to concern is e-mail. Although the dangers can be exaggerated, it is important to be aware that e-mail is inherently insecure. E-mails themselves may constitute personal data if the addressee is identifiable. More importantly, if e-mail is used for sending personal data to other people, some thought should be given as to whether it should be encrypted (Pfleeger and Pfleeger 54).
Corporate Network Security Policy determines the overall success of the organization and privacy issues of internal and external stakeholders. Researchers admit that network security must be seen in the context of wider organizational policies. Many aspects of security will be taken care of by, for example, the IT department or its equivalent. However, high level network security provision on its own is not enough; the systems have to work in practice. The data protection principle makes this clear, by requiring that network security measures be ‘technical and organizational’. Technical measures are relatively easy to provide: password systems, back-up systems for computers, locks on filing cabinets, and access control either to the building or to key parts of it are all routine. Beyond that, however, all staff—especially those who deal with personal data regularly—need to be aware of what they are allowed to do, what they are not allowed to do, what security procedures they are expected to follow, and whom to ask if they are in any doubt. There must be policies spelling out what is expected, opportunities for staff to know what those policies are and what procedures are required to implement them, and regular checks on whether the policies and procedures are being followed. Failure in network security can lead companies to negative reputation, income loss and violation of privacy issues. The examples of online financial databases and the encryption, networks and the operating system failure prove that network security demands careful planning and control in order to prevent hacker attacks and information theft (Nehf 351). “Online consumers can and sometimes do take action to protect themselves. A fourth use separate e-mail addresses to avoid spam, nearly two-thirds avoid posting their addresses on Web sites, and a like percentage use spam filters” (Larose and Rifon 127).
Policy statements should clearly stipulate duties and responsibilities of employees. Principle is that precautions must be taken against ‘unauthorized’ processing. The staff must therefore not use data in any way that they are not permitted to, and they must not disclose it to anyone else who is not permitted to have it. But in order for this to make sense, someone has to do the authorizing. Unless there are clear guidelines on what is permitted, staff cannot be expected to comply. The second Protection Principle says that all processing must be compatible’ with the purposes it was obtained for. Therefore, in deciding who is authorized to see any particular type of data, it is important to think about what type of access is compatible with the purpose. As a minimum it is usually best to get from the requesting agency in writing the legal basis on which they are asking for the information (Larose and Rifon 130). If it turns out that they were not entitled to have it, this might give you some protection. It will often be appropriate for disclosures in these circumstances to require approval at a high level in your organization, and perhaps by the legal department (Pfleeger and Pfleeger 38). It will not be a legal requirement to follow a recognized Code of Practice but the Codes will, on the one hand, provide a useful framework for an organization drawing up its own policies and, on the other, provide a yardstick for anyone making judgments about an organization’s Data Protection practice. Meanwhile, a draft Code of Practice has been produced covering the use of personal data in the employer/employee relationship. It is worth taking a look at this, to see what the Information Commissioner has in mind for Codes of Practice. The draft Code makes clear which provisions are mandatory and which the Information Commissioner feels constitute best practice. In particular they should be aware of their responsibilities in the area of security, and the potential problems that might arise from unauthorized access to personal data. It may be worth making staff aware, not just of organizational policies, but also of their potential personal liability if they fail to take adequate care.
In sum, Internet security measures must be appropriate to the threat, not 100% perfect every time. They do not cover many points which would normally be dealt with by the IT department or at an organization wide level. The most straightforward case is where the transfer is necessary for carrying out or entering into a contract between the Data Subject and the IT professional, or for a contract that is at the Data Subject’s request or in their interests. However, this does not mean that all data IT professionals hold about people with whom IT professionals have a contract can automatically be transferred. IT professional may only transfer data where it is necessary.