1

Data Mitigation

2
Table of Contents
Literature Review............................................................................................................................3
Threats to Organizational Data Security......................................................................................3
Human errors...........................................................................................................................3
Deliberate act of trespass.........................................................................................................3
Software attacks.......................................................................................................................3
Social media.............................................................................................................................3
Natural occurrences.................................................................................................................4
Data Security Risk Assessment...................................................................................................4
Essential Steps While Dealing With Organization Data Breach.................................................5
Preparation...............................................................................................................................5
Prevention................................................................................................................................6
Recovery..................................................................................................................................6
Proposal...........................................................................................................................................7
Iteration One- Professional Expertise..........................................................................................7
Iteration Two- Organizations Size..............................................................................................7
Iteration Three- Geographic Locations........................................................................................7
Iteration Four Social Sites........................................................................................................7
References......................................................................................................................................11

List of Figures
Figure 1. Steps to deal with potential data breach...........................................................................2
Figure 2. Iterations...........................................................................................................................4

4
Literature Review
Threats to Organizational Data Security
Human errors
Human errors form the major threat to information security in organizations. Employees
in a company or contractors are accidentally or intentionally involved in deletion and
modification of data, data storage in unsafe locations, ignorance of data protection and inaccurate
data storage (Bhatti, LaSalle, Bird, Grance, & Bertino, 2012). Regular training on data security is
therefore important to mitigate human errors.
Deliberate acts of trespass
Access of information without the authority of the officer in charge is among the acts of
trespass that risk data integrity. Employees or outsiders may be involved in acts such as shoulder
surfing exposing the information of the company. Trespass extends to equipment and devices
within an organization or mobile devices (Sha, 2013). Use of passwords, encryption and storage
of data in rooms with highly limited access can be used to mitigate acts of trespass.
Software attacks
Malware programs affect the operation of software thereby damaging or hindering
normal operations. Viruses, Trojans, logic bombs, and root kits are the various types of malware
programs used to compromise data in organizations. Lack of adequate knowledge on operation
of software programs may lead to installation of malware into a system. However, in most cases
malware programs are created by malicious individuals with the aiming of breaching an
information system or corrupting data (Wang, Kannan, & Ulmer, 2013). Anti-malware programs
have been produced by various vendors and enhance system security.

5
Social media
Application of social media in business has led to data breach and hacking of personal
and organizational accounts. This is due to the high number of social media users and the rise of
security threats affecting cloud computing (Sha, 2013. Data breaches in social media have been
rampant over the last five years. Cloud computing service providers should seek to address the
various vulnerabilities that are associated with storage of big data in cloud platforms and
frameworks.
Natural occurrences
Floods, tsunamis, contamination by dust, earthquakes, and fire can result to loss or
modification of data from an information system. These are incidences that are beyond human
control and all that can be done is ensuring that data is backed up at all times in a separate
location (Wang, Kannan, & Ulmer, 2013). This will ensure that these natural incidences occur,
do not interrupt business operations by making it possible for business to resume normal
operations within the shortest time possible.
Data Security Risk Assessment
Assessment of data security risks is an important activity in ensuring efficient business
continuity. Risk assessment is the process by which risks affecting integrity, availability, access
and confidentiality of an information system are identified and mitigation strategized. Analysis
of potential threats to information assets is evaluated resulting in a strategic plan to mitigate the
effect of risks and vulnerabilities (Feng, Wang, & Li, 2014). Any information security risk
assessment includes identification of sensitivity and value of information. Components of the
information system are balanced against exposure to potential threats and vulnerabilities. Risk
assessment is conducted before the formulation of effective strategies to that guide development,

6
implementation, testing and maintenance of a data security posture. Risk assessment should be
an ongoing process as threats keep on changing or advancing (Dhillon, 2007).
Risk assessment conducted by most organizations relate to the threats that would affect
business entity. However, it is important to consider information security of customers or users of
the organizational website. Use of customer information or unauthorized access to customer
accounts should be limited to users and employees that manage the accounts. Otherwise, the
reputation of a company can be destroyed in case of lack of comprehensive maintenance of data
integrity.
Key steps in risk assessment include gathering of necessary information that involves
collecting all relevant information regarding the system, sensitivity, and value. The second step is
analyzing the data and categorizing it into various groups depending on level of sensitivity
(Dhillon, 2007). This is important in determining the security required and appropriate storage
sites and formats. The third step is assignment of risk ratings. Different data have different levels
of risk depending on sensitivity, use, and storage format. Final step involves the formulation of
relevant policies and strategies to mitigate the effects of various threats and to ensure optimal
data protection. These steps ensure data integrity, confidentiality, and reliability. It is important to
hire information assurance experts that assess various risks, categorize them and design the most
effective plan for protection of organizational information resources (Bhatti, LaSalle, Bird,
Grance, & Bertino, 2012).

7
Essential Steps While Dealing With Organization Data Breach
There are three steps to follow while planning for data breach cases as shown in Figure
1.
Prepare

Prevent

Recover

Figure 1. Steps to deal with potential data breach. Source: Stephenson, P. (January, 2010).
Authentication: A pillar of information assurance. SC Magazine, 21 (1), 55. Proquest Computing.
(Document ID: 1939310891)
Preparation
Mitigation of threats to data security is not an absolute assurance that there will no data
breach. In any case, if an organization succeeds to protect its data from artificial threats, there
might be natural causes that might lead to data loss. In organizations, risk assessment and data
protection strategies require robust preparation (Feng, Wang, & Li, 2014). In preparing for a
potential data breach, an organization should conduct an inventory of the sensitive data, prioritize
and understand the obligations of various individuals in the maintenance of data integrity. It is
through such preparation that company is able to carefully formulate the most appropriate
strategy for business continuity after data loss or breach. Creation of a data response team is
important before the eruption of a breach (Stephenson, 2010). Response plans are important for
organizations as they enhance logical flow of activities for restoration after security breaches or
data loss. Response plans must be tested regularly for accuracy, efficiency, and effectiveness.
Prevention
Exposure points, threats, and vulnerabilities must be assessed in the process of data
storage. After assessment the key threats and data storage areas are holistically managed to boost
the data security. It is less expensive to prevent a breach event rather than correct it. High risk

8
data storage sites are not necessarily where most information is stored but it could be in legacy
systems or backup drives (Feng, Wang, & Li, 2014). Simple human errors can be prevented
through training and ensuring compliance with risk mitigation policies. In order to prevent a
potential data breach, a response plan should contain data risk assessment and policies, written
plan, employee training provisions, penetration and vulnerability testing, a system where the risk
can be transferred and procedure drills for incident response (Vlajic, 2010).
Recovery
Recovery is the final step in steps in dealing with data breach in an organization. It is the
process of halting the breach and identifying all the data that has been corrupted or
compromised. This is followed by checking the procedures spelt out in the response plan and the
possible legal procedures that can be taken (Pearce, Zeadally, & Hunt, 2013). To maintain high
reputation, it is important to handle the response carefully through communication to the affected
parties. The response team guides the recovery process until the organization is back to normal
operations (Vlajic, 2010). Incident response plans and security policies in the organization
should be revised at least annually to maintain the best practices. This is due to the fact that
threats are dynamic and sophisticated methods of data breach are cropping up each day with
advancement of technology.

9
Proposal
Mitigation of data security threats and the risk assessment process requires professional
with knowledge on data security and the various policies and rules regarding the practice. This
research is aimed at investigating data protection procedures in organizations and the various
opportunities that might arise in the practice of data security. Being an action research paper, this
will be achieved in four iterations. Each iteration will be completed in four phases; planning,
action, observation, and reflection.
Iteration One - Data Standards
The aim of this iteration is to investigate various local and international standards that
guide information security in organizations. This investigation will include federal policies that
may enhance data security and practice of information assurance.
Iteration Two - Compliance and Training
After the formulation of policies to mitigate data security threats, it is important to ensure
strict adherence and train the employees. This iteration seeks to investigate how compliance is
ensured and planning for training to ensure effectiveness of a policy.
Iteration three- information security professionals
This iteration seeks to investigate the various categories of expertise required in
information security. Having professionals enhance data security processes and ensures
compliance. Hence, this iteration is aimed at identifying various titles and responsibilities of data
security experts.
Iteration Four- Data recovery
In the process of mitigation of data security threats, the strategies may fail or the data
breach techniques may be advanced. This may lead to data access by unauthorized persons. This
iteration seeks to investigate how response plan is supposed to come in and restore operations in

10
the organization. Research will involve response plan, data backup processes and how alternative
sites are useful. Figure 2 presents the order of the iterations.

Data Standards
Plan

Act
Observe

Reflection

Plan

ActObserve

Reflect

Plan

Act
Observe

Reflect

Plan

Act

Reflect

Compliance and Training

Information security professionals

Data recovery

Iteration 4

Figure 2: Iterations

Observe

11
References
Bhatti, R., LaSalle, R., Bird, R., Grance, T., & Bertino, E. (2012, June). Emerging trends around
big data analytics and security: panel. In Proceedings of the 17th ACM symposium on
Access Control Models and Technologies (pp. 67-68). ACM.
doi.acm.org/10.1145/2295136.2295148
Dhillon, S.G. (2007). Principles of Information Systems Security: text and cases.
New York, NY: John Wiley & Sons.
Feng, N., Wang, H. J., & Li, M. (2014). A security risk analysis model for information systems:
causal relationships of risk factors and vulnerability propagation analysis. Information
sciences, 256, 57-73. doi:10.1016/j.ins.2013.02.036
Layton, T. P. (2007). Information Security: Design, Implementation, Measurement,
and Compliance. Boca Raton, FL: Auerbach publications.
Pearce, M., Zeadally, S., & Hunt, R. (2013). Virtualization: Issues, security threats, and solutions.
ACM Computing Surveys (CSUR), 45(2), 17-18. doi:10.1145/2431211.2431216
Sha, F. U. (2013). Information system security risk analysis method using information entropy.
Information Science, 6, 10, doi: 10.5121/ijcsit.2014.6103
Stephenson, P. (January, 2010). Authentication: A pillar of information assurance. SC
Magazine, 21(1), 55-55. Proquest Computing.
(Document ID: 1939310891)
Vlajic, N. (2010). Introduction to information security: CSE 4482: Computer
security management: assessment and forensics; Columbia University. Retrieved 29th Jan
2015, from http://www.eecs.yorku.ca/course_archive/201314/F/4482/CSE4482_01_Introduction_2013_posted.pdf
Wang, T., Kannan, K. N., & Ulmer, J. R. (2013). The association between the disclosure and the
realization of information security risk factors. Information Systems Research, 24(2),
201-218. doi: 10.2139/ssrn.1083992