Privacy of Data at Web Server - Assignment Example

Web server. Name: Number: Course: Code: Tutor: Date: Web server. The use of information technology and information systems to facilitate operations in many organizations has been the most common practice today. The organizations are moving from manual storage of data to electronic storage and manipulation of data and information. The advancement in technology makes it even better for the organizations to collect and maintain specific data and information that is of interest to the organization, they can then use the applications embedded in these systems to manipulate and execute the information. This poses a threat to personal and individual privacy of data and information. This practice is common in the customer relationship management systems, social networking sites, education and institutional organizations where most of the time the personal data and information of individuals is required[HBi11]. To abet the security issues that may arise in the process of collection, storage and use of this individual information, the state in conjunction with IT experts have drafted and enacted several legislations to enhance privacy of information and data. These acts are used to regulate and govern how the responsible organizations and institutions use the individual information they collect and store in their systems. Additionally these institutions are expected to create their own organizational policies that aim at protecting individual privacy[Com11]. For purposes of this report the considerations for privacy in the institution shall be divided into two the external considerations and internal considerations. a) External considerations: The privacy act was established in the 1974 as act of parliament, the act defines the terms concerned with the collection storage and manipulation of individual records. The act was amended in 1988 and later in 2000.The privacy act states that any person is entitled to privacy of his personal information and data at any time. It further states that organization whether private or public that must collect the individual information from the people must ensure that this information is used in an ethical manner and that the information should not be collected stored and manipulated without the consent of the individual. The collected and stored information should not under any circumstance be disclosed to a third party without the consent of the individual. This legislation forms the basis of storage and use of individual information in the institution any breach is punishable by law and can be legally addressed[Com11]. The school has a website where the students and staff information and data can be collected and stored in the database. This information is individual and should not be disclosed or used for malicious intentions at any circumstance. The privacy act come to play and it must be enforced in the institution to ensure the privacy of individual student and staff information. The act is mainly enforced to ensure the personnel handling the information are cautious and the mechanisms used to handle the information are secure. Learning management systems are mainly used to store and manipulate student and staff information, this are mainly the academic performance and certifications. This information should be kept confidential and secure from unauthorized access modification and disclosure[Fed12]. In addition to the privacy act many other legislations and policies have been enacted by the associations of IT professionals to further protect the privacy of information and data of individuals that is handled by the organizations and institutions. The national privacy principles are created to be used in the regulation of how the private organizations and institutions manage the personal and individual information. It covers the collection, storage and disclosure of individual information. It also allows the individual access to this information and allows them to make the necessary corrections. The principle number one describes how the institution should collect the information, where they can collect the information and how they should approach the individuals when collecting this information[Sec12]. Principle two outlines the use of the information by the organization and how these information can be disclosed. It entails the rules and regulations regarding the discloser of the individual information in the institution. This principle states that the information should only be disclosed at the consent of the individual[Sec12]. The third and fourth principle is concerned with the information quality and security, it states that the organization should put in place steps and procedures that ensure accuracy and correctness of individual information that is stored and collected in the organization. The information should be safe and secure from unauthorized access[Sec12]. Principle five emphasizes on the need for an organization to have a policy on how to manage the individual information it collects and manages. The sixth principle gives the individuals the right to access the information and make the corrections that may be needed in the database. The seventh principle prevents use of government identifiers by the organizations, eighth principle fosters for anonymity of individuals during the transaction with the organizations[Sec12]. Principle number nine outlines the procedures and steps to be followed during transboundary transfer of information; it also ensures the organizations protect the data and information transferred outside the country. Finally the tenth principle ensures the protection of sensitive information including health records, racial information and criminal records[Sec12]. These legislation and the privacy policies apply to the collection, storage, management use and disclosure of the individual information in the institution. The use of websites and learning management systems is bound to create security and privacy problems to individual data and information. b) Internal considerations: The institution will further ensure privacy and confidentiality of individual data and information by internal improvement of the practices, activities and the facilities that are use for data collection management and storage in the institution. The data management is done through learning management system and the collection and interaction is done through the website. To enhance the security of the data and information the institution will provide policies and guidelines regarding the use and access to information in the database. To attain the desired level of data and information privacy the institution will need to address the following issues appropriately: i) Server operating systems. According to[HBi11] the security issues that are associated with any information system mainly affect the server operating systems. The server operating systems provide continuous operation to the networks, websites and the database, securing the operating systems and servers ensures security of the entire network. The threats to the server operating system include the unauthorized access to the server operating system through the directory traversal attacks where malicious codes are used to gain unauthorized access to data and information in the database, modification of operating system files and information. The denial of service attacks that are often directed at the servers and the support infrastructure eventually denies the legitimate users the service of the server operating system. The security in server operating system is vital for the operation and sustainability of the websites and information system of the institution. The security thus can be enforced through proper installation and configuration of the operating system, deploying the network protection mechanism including, routers, firewalls, switches , intrusion detection and prevention systems in the server operating system and network operating systems[HBi11]. Patching and upgrade of the operating systems, configuration of operating system user authentication and resource controls and security controls. The institution should also perform regular testing and maintenance of the operating system. The most important detail that will however ensure that the data and information in the system is securely maintained is to have security checks and access restrictions and necessary authorizations[HBi11]. This can be done by employing personnel to handle system security issues and management in the institution. ii) Network management: The transfer, access and manipulation if this information always occur through the network that is established in the institution. Therefore proper management of the network ensures that the information is secure. The network management entails the establishment of the security control mechanisms in the network hardware and systems, secure data transfer, prevent unauthorized access to the system and protect networking operations. To effectively manage the network management in the institution it is essential to separate between computer operations and network operations as much as possible, this will aide in the proper management and enforcement in the authentication and access controls[Uma12]. The management of network services should be bestowed to reliable and qualified personnel in the institution who shall be responsible for setting security levels, authentication and access to system components, data and information. The network manager will be responsible issuing of accounts to the authorized staff and users. They are also responsible for allowing external access from remote networks, internal networks and computer systems. This access requires the authorization and identification such as dynamic identification passwords that are automatically generated. And also use of firewall proxy servers[Uma12]. iii) Server access security procedures. The network management and security personnel should identify and determine the identification and encryption requirements. This will then determine the identification and authentication technologies to be used in the institution. The server provides services to all the networks and should thus be accessed by authorized personnel only. The server security can be breached through several ways and alteration of data and information in the server leads to privacy issues in the institutions[Pet08]. iv) Secure file transfer. The files, data and information is transferred throughout the network for different purposes. The secure file transfer should therefore be considered as a major internal consideration in the institution. This secure file transfer is normally achieved through encryption of files and data, use of network firewalls to prevent hacking and unauthorized access[Uma12]. v) Storage media security systems. Data and information in the institution is stored in storage media and devices in the institution. The storage media must be secured by use of database management systems and database security systems. This is important purposely to prevent unauthorized access to the data and information in the storage media and devices. The institution can also establish a storage system security policy and procedures to be followed during storage of information and data and handling of storage media. The policy will also cover the procurement of standardized systems, maintenance of the storage media and systems and the use of the systems in the institution[Uma12]. vi) Version backup and storage. The database and information regarding the database should have a backup storage to prevent total loss of data and information in the event of data loss. The programs and applications that are involved with the running of the database, manipulation and update should also be stored in a secure storage devices and backup created[Glo10]. vii) Secure database management Secure database management should be enhanced to ensure secure data in the database. The database is managed securely by use of a database management system that is used to manage all the operations and activities in the database. Secure database management involves use of access controls, security checks, authorization checks. Physical security of database storage devices and files, and employment of personnel to effectively manage the database[Glo10]. This can be further strengthened by use of intrusion detection through internal alarming and external security services. The management of the database is thus a fundamental consideration in the institution to ensure secure database and improvement of privacy of individual data and information in the institution[Glo10]. viii) Office space management. The office space management involves the management of the storage places where data and information are stored. It is important for the institution to consider where the network infrastructure, computer systems and other devices will be stored and ensure proper physical security of the spaces. Gap analysis. To identify the gaps that are inherent in the institutions privacy, policies and procedures, it is important to identify the operations in the various sectors of both the institutions website and the learning management system. Then identify the gaps in the sectors. Physical security The security in the facility especially the sections where computer devices, network infrastructure and instruments are stored needs a proper physical security, such as physical locks and security personnel. The information and data that is stored in this premises should be well secured and maintained. The institution lacks an alarm system that is ideal for the prevention of unauthorized access to the facility. Data storage and manipulation. The institution operates a website that basically used as a communication and feedback channel between the institution and the students and the general public. The website is used for registration of new students, advertisement of courses and programmes, collection of staff and student information. It is a public interface but also serves the internal purposes in the institution. The information and data collected from the website from the students, the staff and the general public is then stored in the database for management and manipulation. The institution however has issues with the privacy legislation and policy with regard to the storage and manipulation of the data. The institution through the web site collects the data and information from the public, though the institution has a privacy policy that the users are required to accept the privacy agreement giving the institution the right to use the information for various purposes. The use of the individual data and information in the institution is however not entirely disclosed to the students and staff in the institution. The policy guidelines for the use of information and data , the handling of these data is still a major problem as the staff responsible for this activities have little knowledge on the privacy legislations and policies in the institution. Challenges associated with keeping of this information and data safe and secure is inherent in the institution. The institution uses an old version of the server operating system that has security loopholes that may jeopardize security of data and information. Database management. The data that is collected from the users is stored in a centralized database. The centralized database is accessible through the remote access. This creates a security problem due to the fact that the data and information is prone to threats and loss. The centralized database is managed by a database management system this makes the access, manipulation and retrieval of data and information easier and manageable[Glo10]. However the system used is outdated and this may lead to security problems. The information and data can be accessed by unauthorized personnel due to the poor security measures and functionalities of the database management system. Network management The network of computers and other devices allows the users to access the database and other resources including the website and the learning management system. The network therefore needs proper management to ensure security of the data and files transferred in the network and the network traffic[Uma12]. In the institutions case the network is not properly managed and characterized by ineffective control, planning, allocation, deployment, monitoring and coordination of the resources in the data network. Remote access Remote access to the website and the learning management system is still a big problem. The remote access is at some point ineffective, this poses risks of unauthorized access into the network and the database. User access authorization and authentication. Access to databases, networks and use programs and systems is entirely the role of the system administrators. This authentication however makes the access to the services difficult and time consuming especially if a new user tries to remotely access the network of or the database. The time taken for verification and issuance of authentication numbers is more and can be reduced by using automated user identification and definition[Uma12]. In general the organization has policies, guidelines, procedures and regulations that should be followed to ensure privacy of individual data and information. However these set of policies and guidelines are not adhered to most often. This neglect creates security risk to individual data and information that is stored by the institution. Sector Identified gap Required changes Physical security Lack of alarm systems and proper physical security Use of security personnel installation of security alarms proper management of security controls Data storage and manipulation Lack of adequate knowledge on privacy legislations, guidelines and regulations. Poor server operating system Security loop holes in the website and the learning management system. Upgrade of server operating system Training of employees on privacy legislation and handling of personal data and information. Database management Poor database management system Poor security measures in the database leading to unauthorized accessed. Upgrade of database management system. Enforcement of security measures and access control in the database Network management ineffective control, planning, allocation, deployment, monitoring and coordination of the resources in the data network Enforcement of security measures in the network. Use of network firewalls. Remote access Unauthorized access Poor authentication and control mechanisms. Enforce access controls and restrictions to the network. Enforce authorization checks to remote access. Recommendation and implementation plan. To maintain a sound web site and learning management system, few upgrades to counter the gaps identified is important for the institution. The institution needs proper management of the database, this will involve the employment of personnel and an upgrade of the database management system to a more robust and updated version. This will help in the efficient management of data collection, manipulation, and storage in the institution. In order to enhance operational efficiency, the institution must focus on formalizing database management through standardization, planning, and adoption of best practices that are governed by policy and guidelines. These practices include standardizing DBMS, automating administrative tasks, formalizing administrative processes and procedures, enforcing strong security measures and database consolidation[HBi11]. Frequent updates, tuning and troubleshooting of the database, the upgrades and patch deployment is also recommended to ensure database stability and performance. Additionally the institution should have a sound and proper database security plan to handle database security and management[Glo10]. Network management and security can be enhanced by use of efficient network security systems from reputable vendors in the market. The network security can also be enhanced by use of firewalls[Uma12]. The most important database security plan is the incorporation of database encryption, access restriction and data protection into the database security procedures and guidelines. Network management should also be strengthened to enhance the security of data and file transfer. Most of the information in the database is transmitted through the use of the networks, thus the institution should manage the networks to enhance security. This can be done by use of network firewalls, enforcing security access controls and authorization to minimize unauthorized access such as tapping and hacking[Uma12]. The organization should effectively implement the stipulated privacy legislations, principles, guidelines and policies in the institution. The employees handling individual data and information should be trained and be aware of the privacy legislations and policies. Implementation plan: Activity Time frame Responsible persons Employ personnel security Two months The human resource department, management, Upgrade of database management system and server operating system. 1 month System administrator. . standardizing DBMS automating administrative tasks, formalizing administrative processes and procedures, enforcing strong security measures and database consolidation. continuous System administrator and the Database administrator. Network management continuous Network administrator Training of personnel 2 weeks System administrator Evaluation of upgrades periodically System administrator/ auditor References HBi11: , (Bidgoli, 2011), Com11: , (Commonwealth of Australia, 2011), Fed12: , (Federal Government of Australia, 2012), Sec12: , (Secretariat Australia, 2012), Uma12: , (Umass Boston, 2012), Pet08: , (Petri, 2008), Glo10: , (Global Clients Services, 2010), Read More