Assignment

Table of Contents

INTRODUCTION...........................................................................................................................4
DATA RISK ASSESSMENT..........................................................................................................5
1. Risk Assessment For The Charity’s Data....................................................................................5
2.Threats and risks to the digital identities of the Charity’s clients.................................................8
PRIVACY STRATEGY PROPOSAL FOR THE CHARITY........................................................9
a.Management of personal information.........................................................................................10
b.Collection and management of solicited personal information..................................................11
c.Use and disclosure of personal information................................................................................13
d. Use and Security of Security Identities.....................................................................................14
e.Security of personal information................................................................................................15
f.Access to personal information...................................................................................................16
g.Quality and correction of personal information..........................................................................17
PERSONAL DATA PROTECTION STRATEGY PROPOSAL FOR THE CHARITY.............18
a.Protection of personal information.............................................................................................19
b.Authorized access and disclosure of personal information........................................................20
c. De-identification of personal data..............................................................................................22
d. Use of personal digital identities...............................................................................................23
e.Security of personal data.............................................................................................................24
f.Archiving of personal data..........................................................................................................25
CONCLUSION..............................................................................................................................26
REFERENCES..............................................................................................................................26
 Table of Figures

Figure 1: Risk Assessment Process.................................................................................................7

Figure 2: Privacy Lifecycle.............................................................................................................9
Figure 3: Steps of Digital Identification........................................................................................14
Figure 4: Management of Personal Information............................................................................19
Figure 5: Data De-identification....................................................................................................22
Figure 6: Data Protection Principles..............................................................................................23
INTRODUCTION
The process of identification of quantitative or qualitative estimate of risks which are
associated with the condition and well-known threats or hazards is called as risk assessment. It
includes an analysis on the basis of object regarding risks like assumptions and uncertainties
which are considered by the risk assessment team. In information technology, risk evaluation can
be conducted either by qualitative or quantitative approach considering various methodologies. It
is performed for offering proper security and safety to the information stored in the databases.
This assessment helps organizations in identifying their threats and finding their appropriate
solution. On the other hand, penetration testing is used for searching close certain gaps in
security. Firms also use risk assessment technique for managing their projects effectively. This
includes a plan for managing risks, analyzing the probability, result of risk along with the
evaluating correction action. It prevents in project delay or utilization of more resources. It is
also necessary for all type of organizations to understand the rules and regulations with respect to
the risk management (Li and et.al., 2016).

Data protection is the process of safeguarding the necessary and important information
for any loss or threat. Firms use if for two major functions which are: operational data backup
and disaster recovery. There are many technologies available in the market which organization
can use for protecting their data. These techniques are tape backup, storage snapshots, mirroring,
etc. Companies can use different methods and strategies as per the need and demand of the
situation. On the other hand, the privacy of information is the process of keeping an individual or
group’s information safe from misuse without their prior permission (McCarthy and Plummer,
2016).

The present study is based on the given case scenario of the Charity. It includes data risk
assessment, privacy strategy for the personal data and protection strategy for keeping the
personal data safe and secure from threats or any kind of corruption.
DATA RISK ASSESSMENT

1. Risk Assessment For The Charity’s Data

a.Establishment of existing threats and risks to the security of the data and information

According to the given case, the charity is offering accommodation, mental health
services, training, and support to the disadvantaged individuals in the society. In the present time,
the charity has a small data center with 50*86 64 bit servers running on Window Server 2008 R2
for desktop services, database, and file services. Along with this, the charity has 10 Red Hat
Enterprise Linux 5 servers for the public facing web pages and support (Chua and et.al., 2017).
This in-house database of the charity possesses various risks and threats to the security of data
which can result in loss of important and confidential information. These risks and threats to the
security of information are as follows:

Excessive, Inappropriate and Unused Privileges: Charity has given database privileges to its
employees which exceeds the requirements of their job functions can be abused. For example, an
HR worker of the charity whose job is to update the employee information can take benefits for
given database privileges by conducting an unauthorized lookup of peer’s salary. Thus, it is
necessary for the Charity to grant generic or default access privileges which can only fulfill their
job requirements. The charity has to protect the devices of executives working in higher
positions from external or internal attacks. But charity also needs to keep harden the protection
of devices of its employees. One of the effective method which Charity can use for handling this
risk includes conduction of database assessment and monitoring along with the option for
managing the user rights (Kim and et.al., 2014).

Weak Audit Trail: Charity has weak audit process which can result in serious organizational
risks at all its levels. It is necessary for the charity to monitor both security and compliance
anomalies time to time which can help it in representing the real view of the database and lying
risks within it. The charity will also able to identify whether it is following all the government
laws and regulations for information security and safety (Jensen, 2013).

Unsecured Storage Media: Charity keeps a backup of all the stored information in the database.
This helps in recovering the lost information due to any disaster or other reasons. Lack of
security to the backup storage media provides an opportunity to the hackers or cyber attackers to
misuse the information. Thus, the charity needs to take major actions for protecting the backup
copies fo the sensitive data. Along with this, some trustworthy employees of the Charity have the
high privilege to physical access the database server. It means workers can insert thumb or USB
drivers into the system and execute the SQL commands to the database. This can result in loss or
unauthorized access to the information (Jeong and Park, 2016).

Thus, above risks and threats can create loss or threat of private and confidential
information of the charity.

b. Other risks and threats to the client data after migration to a SaaS application?

As per the case study, Charity will migrate its data to the Software-as-a-service (SaaS)
cloud infrastructure for handling the information effectively. It is joining with the cloud vendor
for using cloud-based server and offering its services to all 500 support staff and administrative
users. It will be used for storing the 200TB data of the charity. It is necessary for the Charity to
have proper security and safety of data as it has a large amount of personal and confidential
information about the people it provides the services (Spiekermann and et.al., 2015). The
possible risks and threats to the client data after the migration to a SaaS application are as
follows:

The risk to the Database: Migration of data from the database to the SaaS application is a
complicated process. Use of SaaS vendor’s hardware can develop a risk of losing confidential
information of the charity’s client due to the failure of the underlying hardware. Along with this,
charity can lose the transparency of information as hardware will be in control of the vendor.

Data Security and Privacy: The important data of the charity will reside and be processed in the
SaaS app provided by the vendor. This can result in illegal system intrusions, unauthorized
access to information and data breaches via malicious, hacking, espionage or criminal activity.

Availability of the Hosted Application: In case, routine maintenance or internet outages of the
SaaS application is taking time then it can affect the business operations of the charity. It can
also result to increase the waiting time of clients which is not good for the Charity.

Compliance with the increasing breach notification and privacy laws and regulations: Breach
of privacy laws and regulations provided by the government of the countries can result in
unauthorized access to the information. The legal and regulatory environment with respect to the
data privacy is fluid but customers using SaaS need to expect stronger and rigorous requirements
from the government. Increase in the transparency of the information with the vendor can result
in disclosure of charity client’s personal information without their prior permission which results
to breach of privacy laws (Rerabek, and Ebrahimi, 2014).

c.Assessment of resulting severity of risk and threat to client data

The charity needs to conduct a risk assessment for handling the severity of above-discussed
risks and a threat to the client data. The risk assessment process which Charity needs to follow is
as follows:

Threat
Identification

Risk Threat
Evaluation Characteristics

Risk
Estimation

Figure 1: Risk Assessment Process

Threat Identification: In this, Charity needs to identify all the relevant the threats and risks
which can affect the stored information. It is important for the organization to identify all the
threats or viruses in both internal and external environment otherwise they can misuse the stored
confidential and sensitive information. The areas which firm needs to identify in this step
includes threats, vulnerabilities, consequences, assets either primary or supporting, business
processes related to the risk, etc.

Threat Characterization: In this, the risk assessment team of the firm will have to determine the
impact and likelihood of the identified threats. It helps in identifying where the risk of threat is
high or low. High risks need to be handled at top priority level and low threats can be avoided or
transferred. Selection of the solution for handling the risks depends upon their type of impact or
likelihood. If the impact of the risk can result in loss or misuse of confidential information then it
is necessary for the charity to handle that first. This is for evaluating whether the
countermeasures are appropriate or adequate to minimize the probability of the loss of the impact
of the loss (Lee, Lim and Yoo, 2014).

Risk Estimation: It is of two types: quantitative and qualitative. In this, assessment of the
quantitative risk depends upon the security metrics on the asset like system or function whereas
assessment of the qualitative risk is conducted for meeting small budget or short time. It is
important to register all the risks within a document for future use or better improvement. It is
quite difficult to estimate the risks which are arising from the security threats and adversary
attacks.

Risk Evaluation: In this charity will have to compare all level of the risks with their criteria of
acceptance and prioritizes it with the indications regarding the risk handling treatment. In the
end, a solution of the highest priority risk will be identified for handling that at urgent basis (Kim
and et.al., 2015).

Thus with the help of above-described steps of risk assessment, Risk assessment team of the
charity can handle and control the severe impact of the risks or threats over the sensitive or
important information.

2.Threats and risks to the digital identities of the Charity’s clients

Threats and risks to the digital identities of the Charity’s clients are as follows:

Politically motivated cyber-attacks: These attacks are hosted with some specific objective of
embarrassing the targeted organization and disclosing the vulnerability of their digital
technology. Thus, Charity can face result in the data leak due to this cyber attack.

Point of Sale Attach: In this POS based devices are pose to the marketplace which results to
misuse and leak of the personal and confidential information. Attacker can access the transaction
information having details like cash, credit cards, mobile payment, etc of the firm. Charity needs
to implement more significant security to the system for avoiding this issue.
Attacks on Internet of Things: IoT devices lack basic security standards which make cyber
attackers to take advantages by leaking the data of organizations. In this, Charity will have to
build greater security for storing the personal data (Lloyd, 2017).

Attacks on online payment systems: With the increasing use of online payment systems, cyber-
attacks on them are also enhancing. Cybercriminals can attack of the online payment system of
the firm and ruin its financial transaction security.

PRIVACY STRATEGY PROPOSAL FOR THE CHARITY

According to the provided case scenario, Charity is migrating its all information from the in-
house database to the SaaS app for using cloud-based features effectively. This will also help the
firm in handling its large amount of data properly. Along with this, workers of the firm will able
to access the information from anywhere and can share with the team members which will
increase the productivity and performance. Privacy Strategy proposal for the Charity will help it
in preventing the valuable and confidential data and information from any threat or risk. It will
help the organization in storing the collected PII data on the customers who are accessing the
services for assisting them in manage their service requirements (Schwalbe, 2015). This proposal
is as follows:
 Figure 2: Privacy Lifecycle

a.Management of personal information

The initial pace of the strategy for the Charity includes management of personal
information regarding its workers and customers. The personal data of the employees and clients
includes details regarding their nationality, religion, name, address, contact number, race,
political or religious belief, and sexual orientation, any record related to crime, membership of
trade union and many more. Along with this, it also consists of private information regarding the
credit or debit card details, bank account number, the name of the bank, etc. It is necessary for
the charity to store every confidential data protected and secure as anyone can use them for either
their personal or someone else’s benefits (Kajzer and et.al., 2014).

In the context of the case, Charity will keep personal information of its employees, HR
team, IT team, customer service staff, product vendor, and customers. It is necessary to have
appropriate and reliable tools and technologies for managing the personal information
effectively. With the help of SaaS and digital identities, the company will able to manage all the
sensitive data or information properly (Chong and Meyden, 2015). Along with this, Charity
should have a centralized database for storing all the information in one place with proper
security and safety. The SaaS application of the charity is offering proper safety and security to
the personal information of both clients and the employees. Thus, both centralized database and
SaaS application can help the charity in managing the privacy of information properly. On the
other hand, the customer information also includes their likes or dislikes, issues, queries,
satisfaction level, complaints, etc which are necessary for the charity to improve their services.
Thus it is really very important for the charity to secure such confidential information from
misuse or unauthorized access as leaking of data can result to affect its image and market value.
It will help in storing and securing the digital identity data for those clients who have mental
health issues. Management of the personal information like PII data of the clients via database
and SaaS application will reduce the wastage of time, money and resources which will make
charity to invest its money and time to other processes. This step will also assist charity to keep a
record of both past and former employees. Along with this, the firm will able to confirm if the
information given by the customers or staff members is accurate or not (Shimeall and Spring,
2013).

b.Collection and management of solicited personal information

After the managing, all the personal data, next phase of the proposal of charity is to
gather and handle the personal information effectively and efficiently. Before management and
maintenance of the personal information, it is important for the organization to collect it
properly. The type of information which charity needs to gather depends upon the type of the
person with whom it is dealing. The following information will be needed by Charity to collect
for its official work:

 Employees in the manner of employee record

 Job Applicants who attend interviews for employment
 Suppliers for ordering materials and enabling the payment for them
 Customers for assisting them and providing them information about the new services
time to time effectively
 Other stakeholders (government, owner, etc)

By collecting the information of all the above-mentioned individuals, charity can manage
all the data and use it for its professional work. This will also result to maintain good and strong
relations with the people by contacting them time to time which will enhance the satisfaction
level (Tøndel, Line and Jaatun, 2014). The information about the discussed different individuals
will include the below-explained details:

 Information which helps in identify the person like name, address, contact number, etc
 Details regarding the financial status or economic situation of the person
 Government authorized accurate information
 Information regarding the employee such as Date of birth (DOB), educational details,
passport details, last jobs, references, status of visa, driving licenses, health document,
criminal record, file number regarding tax, dependents and many others
 Information about the client like likes, dislikes, PII data, health information, economic
status, criminal record, passport details, driving license, type of services they are using,
reviews, etc (Kenyon, 2016)
 Opinion of other individuals with respect to the offered services

The charity will have to collect personal information from the person himself whenever
needed or while developing relations with them. The prime liability of firm is to notify
individual earlier than or during the gathering of the personal information otherwise it can
result to breach the laws formed by the government. If, it will not possible or practicable for
the company to inform the particular person about the collection of his or her personal
information than it should notify him or her as soon as possible (Garba, Armarego and
Murray, 2015). At the time of gathering the personal information charity should counsel the
person about the below mentioned different information:

 Motive of gathering the personal data

 If the collected information is needed or authorized by the law of nation
 Terms and circumstances regarding the gathering of information
 Outcome if, personal data is not gathered properly
 Identification of charity and its contact details including mobile number, title, and
email ID.
 Proper details about the policy related to privacy of the firm like right to access, seek
improvement of personal information
 If the collected information is safe or not
  Charity can unveil the gathered personal information to whom, why and for what
reasons (Kolkowska and Dhillon, 2013).

c.Use and disclosure of personal information

The third phase of the privacy strategy consists of Using and unveiling the personal
information. In this, Charity needs to have a particular and sensible point for using the gathered
information of the persons. The charity can also divulge the information for other reasons for
which an individual assume it to be handled. On the other hand, charity cannot use the
information for the personal reasons. Along with this, the organization cannot utilize the
collected particulars for the values of the direct marketing lacking the prior permission of the
particular person. If in some situations, Charity requires using the personal information of the
individual, then, in such situation, it will essential for the company to gain the approval of that
person for utilizing or disclosing the information. Use of personal information without informing
or taking permission of the individual can result in punishment or fine of some amount
(Tamjidyamcholo and et.al., 2014).

It is important for the charity to provide access to personal information to limited trust-
worthy employees only for avoiding the chances of unethical use or unauthorized access. The
gathered data will be used only for limited period of time until unless it does not fulfill the
described reason. For the Charity, it is important to ensure whether each and every factor of
Privacy Act are meeting or not at the time of disclosing the personal information.

Charity should use the personal information of an individual due to the below-explained
reasons:

 For developing communication with the persons

 For offering the data regarding the services for which customers have sent the request
 For evaluating the reviews or feedback from the clients for improving the quality of
products according to their requirements and demands
 For recruiting the desirable candidates
 For implementing the regulatory and legal obligations
 If the court requires or demand it.
 Apart from the above-explained reasons, if the charity needs to use the personal information
of the persons than it should aware them first and make use of it according to their answers.
Unlawful and improper use of the personal information via Charity can lead it to a momentous
loss of money and image in the market (Hu, West and Smarandescu, 2015).

d. Use and Security of Security Identities

Digital identities are used by the organization for keeping their sensitive or confidential
information safe and secure. It also allows sharing the information but only on a reliable network
and only to those who need that. According to the given case, it is necessary for the charity to
implement security of digital identifies for keeping the personal and private information of the
client secure. Digital identity will be the key to the staff members of charity to access the
database and computer systems effectively. Digital identities are safer and secure for the
companies as compare to the other general or traditional methods. In this, a single print of the
thumb is sufficient and more secure than the full credit history of the person. With the help of
this method, only desirable and right candidate will able to access the required information.
Individuals can edit or update their personal information but cannot delete as this right is in
hands of the admin (Li-ming, 2013).

The digital identification of the Charity should consist of the following two steps:

Identity Authentication

Identity Verification

Figure 3: Steps of Digital Identification

Identity Authentication: In this charity needs to authenticate the identity claim of the person by
providing the information such as Username and Password, Unique Identity Number, biometric
password, thumb impression, etc. In the context of the charity, workers are offered to have their
Username and Password for accessing the information.

Identity Verification: In this, employees of the charity will have verified their authenticated
digital identity by putting the right Username and Password. IT team needs to provide 2 attempts
for entering the right UID and Password. If the worker failed to verify his or her digital identity
then, in this case, the system will be automatically locked for some time period. This will help
the organization in preventing unauthorized access (Norwawi and et.al., 2014).

Thus both the phases of the digital identity is important to follow for Charity. In addition
to this, it is also necessary for the firm to implement privacy considerations within its identity
management system. These privacy considerations include privacy policies and procedures,
governmental laws and regulations, safeguards for the physical system components and many
others.

e.Security of personal information

Securing the personal information is another most important task of the Charity. The
Information Privacy Principles (IPP) 4 of Information Privacy Act 2009 is developed for the
protection of personal data. The company should implement this act whiting its working
environment for securing the stored information. Charity should ensure that all the criteria for
security are taken properly for avoiding the breach of the act. Charity should implement
information and communication technology security, access security, physical security, data
breaches, data governance, training sessions, third-party providers, etc for securing the stored
personal and sensitive data from failure, mishandling, unconstitutional modification,
unauthorized exposé and unauthorized right of entry (Wang and Wang, 2015).

The firm should follow the measures for securing the personal information which is
explained below:

 Use of username and password along with the data encryption technique for securing the
access to laptops or computer.
 Disabling the access to the USB ports and if employees want to use than they should be
authorized
 Use of data encryption methods for sending emails
 Adoption of other methods like antivirus, firewall, etc for preventing the stored personal
information from misuse or cyber attacks.
  Utilization of audit logs or audit trails for monitoring the implemented laws and
regulations. It will help in analyzing if a potential breach will occur within the
environment with respect to the personal information.
 The firm can also use digital identities for preventing the unauthorized access to the
systems or servers (Lee, 2014).

Thus, in an above-described manner, Charity can keep its confidential and personal
information safe and secure from the misuse.

f.Access to personal information

In this, the step of the privacy strategy proposal, it is necessary for the Charity to
implement a strong and effective data protection policies and procedures before offering the
access to personal information to the employees. It is a critical task for the firm to offer access to
personal information as it needs trust and confidence over the employee. Access to personal
information to the wrong or unreliable individual can lead to the loss of information which can
affect the image of charity in the market. One can take wrong advantages of the stored
information either for personal or someone else’s benefits. To handle all these issues, the charity
needs to develop strict rules and regulations for the working environment. This will result to
punish the workers who will try to take unwanted advantages of the stored confidential or
sensitive information. The firm will have to implement laws created by the government of nation
like Australia. In context to this, the organization will follow APP12 which provides access to
the personal information on the basis of request entered by the individual. Under this law, the
organization will have to follow all the criteria created by the government. With the help of this,
the charity will able to understand how and when an access to the person should be given the
request. This will result to prevent chances of unauthorized access or misuse of the personal
information (Silva and et.al., 2014).

In this step, Charity will have to implement an effective and proper procedure for both
employee and individual requesting access to the personal information. In this, individual will
need to provide a written application to the charity with the proper reason for requesting to allow
the access to his or her personal information. The reason behind accessing the data should be
rational and strong (Velummylum and et.al., 2014). In return, Charity will have to send notice to
that particular person with the period for accessing the requested information or proper reason
for refusing the request. Proper response on time will create a good and effective impression of
the firm over the requester. Along with this, the company will have to check the identity and
other provided information of the requester before accepting the request for accessing the
information. This keeps the risks or threats of unwanted access to the important personal
information. In addition to it, charity should have full confidence and trust in the employee or
client to whom it is providing rights to access the information. It is the prime responsibility of the
person to access the information within the time period given by the company otherwise Charity
will not extend the time period (Majchrzak, 2014).

g.Quality and correction of personal information

The charity will have to implement APP10 entity of Australian law for enhancing the
quality and correction of the personal information. Under this entity, the charity will have to take
significant actions for ensuring the quality and accuracy of the personal information. In addition
to this, the firm will also have to update the information regarding the disclosure and safety of
the personal information. By conducting the proper quality assessment of the personal
information in certain time period firm will able to analyze the poor and low-quality stored
information. By correcting and verifying the low-quality information, the charity will able to
improve the quality. APP10 of the government laws will make an organization to take effective
actions for handling and improving the quality of the personal information (Ahmad, Maynard
and Shanks,2015). The charity will able to enhance its working process and management of
information by enhancing the quality and their accuracy. Maintenance of the quality of
information can be taken place in two manners: a) At the time of collecting the information and
b) at the time of using or disclosing the personal information. Both the actions will lead to
improvement in the quality handling and control process effectively.

The charity will have conduct audit by using appropriate internal practices and
procedures which will lead to monitoring, identifying and correcting the wrong information. This
process will enhance the quality of stored data and make company use it properly. The protocols
formed by the government will make firm to collect and record the personal information in a
consistent manner. On the other hand, it is the responsibility of the charity to update the new
information to the right record with proper creditability (Jouini and et.al., 2014).
 By reminding both workers and clients of updating their information with time whenever
needed will make an organization to maintain the quality of personal information. It is also
important for the firm to remove unwanted and old data from the database for managing the
space and information effectively. In context to this, Charity can create a quality team whose
duty will check the quality and accuracy of the stored sensitive and personal information with
time. The team will have to ask clients or staff members to check their stored information and
apply for change or update if needed. This procedure will help the quality team in managing and
maintaining the quality and correctness of the sensitive data.

Thus by following all the steps properly and effectively along with the relevant laws and
regulations Charity will able to develop its privacy strategy proposal. This proposal will ensure
the safety and security of the personal information which will lead to increase the trust and
confidence of the employees and customers and make them share their personal and private
information with the firm (Nazareth and Choi, 2015).

PERSONAL DATA PROTECTION STRATEGY PROPOSAL FOR THE

CHARITY
According to the given case study, Charity is changing its technique for handling the
information from Windows Server 2008 for desktop services, database, and file services to the
SaaS cloud-based-infrastructure. The Board of the Charity is highly conscious about the privacy
and security of the data which it holds on the individuals which it provides services to in the
society. The board asks cloud vendor that data breach within the organization can cause
considerable damages to the substantially disadvantaged clients in the community. In context to
this, Board of the firm has asked the vendor to propose appropriate and effective privacy and
security policies for its data (Cherdantseva and Hilton, 2013). The personal protection strategy
proposal for the charity developed by the cloud vendor is as follows:
 Figure 4: Management of Personal Information

a.Protection of personal information

The first step of the personal protection strategy proposal is the protection of the personal
information from threats or risks. It is necessary for the charity to keep employee’s, customer’s,
company’s and other information safe and secure. In this highly competitive market, competitor
firm can take advantages of the charity’s confidential information for gaining competitive
advantages. Thus, for maintaining the market position along with the trust and confidence of the
clients, it is necessary for the firm to implement and follow personal information effectively and
properly. The company should take care of individual’s safety and security while collecting
personal data from them. Use of personal information for wrong means can affect the trust and
honesty of the person which can affect the brand image of the charity. Thus, Charity will have to
follow proper procedure for protecting the personal information. It is important for the
organization to understand the importance of preventing and protecting the collected information
proper and efficient manner (Webb and et.al., 2014).

There are many reasons behind the misuse of the personal information such as gaining
competitive advantages, revenge, gaining financial status, increasing sales, profit margin etc.
Thus, it is necessary for the charity to handle all these issues and it is only possible by protecting
the personal information. The personal information in the data security strategy will include
name, address, Email Id, contact number, gender, criminal record, financial information,
educational qualification, health status and many others along with the personal opinion, views,
business processes, company strategies, new thoughts, opinion about the other person and many
others. Therefore the personal information in this strategy consists of both data about customers,
employees, and charity itself.

Use of cloud-based approach means better sharing and access to the information which
means it needs more strong safety and security. There are chances of unauthorized access to the
information by the third party and other cloud consumers, for handling all this it is also important
to implement all the laws and regulations within the working environment of the organization.
Proper use of a password, digital identities, unique ID, etc will help in preventing illegal
activities regarding the use of information. Along with this, privileges to the employees for
accessing the information should be provided after proper analysis so that, it should be given to
the wrong or non-reliable person of the company (Shropshire, Warkentin and Sharma, 2015).

b.Authorized access and disclosure of personal information

After collecting and deciding the protecting criteria for preventing the personal
information, Charity will have to decide to whom it wants to provide authorized access. The type
of access which firm can provide to the individuals is On-demand access and Network Access. It
is also necessary to maintain the reliability and consistency of the information. The charity will
have to provide access to the information like financial, personnel, personal, confidential,
strategic, transactional and publically available as per the need and demand of the type of person.
Access to the database needs to be provided to a trustworthy and experienced person only who
can properly follow all the rules and regulations along with the criteria of laws (Soomro, Shah
and Ahmed, 2016).

In this, the organization will have to conduct proper analysis and take decision for
deciding to whom it wants to give authorized access to the personal information. Along with this,
the company will also have to decide the procedure for disclosure of the information. In context
to this, firstly charity should conduct an internal analysis of the environment for understanding
the present situation regarding the management and maintenance of information. On the basis of
collected information, Charity will able to decide the procedure regarding the both accessing and
disclosing the personal information. In the context of the employees, the firm will have to select
experienced, reliable, workers having more than 5years with the firm and trustworthy whereas,
for customers, the charity will have to use electronic identity verification. This verification will
streamline the process for offering secure and safe access to the personal information of the
clients online.

With respect to the access of information, Charity should provide this on the basis of
proper reasonable and significant request of the client. In return, the organization will have to use
challenge and response method. In this method, the client will have to answer the questions
asked by the system regarding his or her life such as the name of a best friend, favorite hobby,
the name of the favorite teacher, place of birth, etc. For the first time, the user will have to select
one question whose answer is known to him or herself only. Later, at the time of access to
information, the system will automatically ask the question. If the answer is right then access
will be provided to the client otherwise not. On the other hand, the firm can also use mobile
verification approach for securing the personal information. In this, the user will get One Time
Password (OTP) on his or her verified mobile number and by entering that OTP to the system, he
or she will get access to the information (Ahmad, Maynard and Park, 2014).

After the request of the person, it is the duty of the employer to respond that request
within the fixed time period. There should be proper notice provided to the requester for either
accepting or rejecting the request. The late response can result to affect the image of the firm
among both workers and customers. On the other hand, the disclosure of the information should
be for some reasonable purpose about which that particular person should have proper
information. Disclosing of information without taking permission of the individual will declare
as the illegal act and person has full right to claim for it. Thus, Charity should clear the all the
details regarding the disclosure of information to the person and respond according to his or her
response. All the criteria of laws formed by the government of Australia should be fulfilled by
the company while disclosing the personal information (Xu and et.al., 2014).
c. De-identification of personal data

Figure 5: Data De-identification

De-identification of the personal data will be used by the charity for enabling sharing and
publishing of the personal information without disturbing the personal privacy. It is quite a
typical task for the organization to use the personal information while keeping its privacy and
confidentiality. But in this step of the proposal, Charity will able to enhance the use and value of
the information assets along with following all the criteria of privacy and security. Firstly, the
company will have to follow the Australian Privacy Principles (APPs) for collecting, retaining
and securing the personal data properly. These APPs are appropriately described in the Privacy
Act 1998 of the nation. De-identification of the personal data along with the proper laws and
regulations will maintain the credibility and safety of the stored sensitive and confidential data
(Cavelty and Mauer, 2016).

Two processes will be followed by the Charity for de-identification which are:
Elimination of the identifiers such as name, contact number, address, DOB, etc and alteration or
removal of the details like remarkable characteristics which can help in identifying a particular
person. Both the steps will help in using only necessary and required information. On the other
hand, there are chances of occurring indirect identification threats or risks to the information. In
the context of it, Charity will have to involve confidentialisation with respect to access and
manage the risks which can create within the de-identified datasets. Risk Assessment is one of
the effective approaches with the help of which organization can handle and control the
occurrence of the risks (Ifinedo, 2014).
 Charity should aware of the manner of using the personal information of the individual. It
should either use it when there is need to publish the information asset or share with the other
entity. The organization can also evaluate the levels of the de-identification in the following
manner:

 Type of information, firm wants to include in the information asset

 Access to the information asset with proper reason
 Type of threat to the information, in case it is re-identified.

Charity can use techniques like removing or modifying the quasi-identifiers, altering
identifiable information, swapping the identifying information for one individual with the
information of other with same characteristics, etc. These techniques can result to handle indirect
risk which can occur to the de-identification of the personal information (Cavusoglu and et.al.,
2015).

d. Use of personal digital identities

In this, Charity needs to decide whom it wants to develop the digital identity and for what
reason. This gathered information will make firm to provide digital identities to the trustworthy,
experienced and desirable person which will reduce the chances of misusing the information.
Along with this, the organization should make sure that digital identities will be safe and
unavailable for the public domain. All these functions will help the charity in developing and
increasing the transparency, securing the personal information, using the verification regarding
tax return, renew licenses, etc. Effective and efficient use of the personal digital identities in the
Cloud-based infrastructure i.e. SaaS of the charity will increase the safety and security of its
important and personal information from unauthorized access or misuse via threats or cyber
attacks. This will also enhance the trust, confidence and belies of the stakeholders on the
working processes and produced services of the charity (Lloyd, 2017).
e.Security of personal data

Figure 6: Data Protection Principles

This step is one of the most important steps of the proposal which helps in securing the
personal data from unauthorized access or misuse. The charity needs proper safety and security
of stored personal information. With the help of proper techniques and methods, an organization
can prevent the information from threats or risks. Firstly, firms will have to conduct risk
assessment process for identifying the present security conditions along with the relevant policies
and procedures. This will help the organization in selecting the suitable security measures for
protecting the personal data from unwanted access.

The charity will have to follow Data Protection Act for securing the personal data
effectively. The organization will have to design the framework for ensuring the security of
gathered personal data of the individuals. By using the techniques such as Username and
Password, lock to the main computer screen, security alerts and notifications, installation of anti-
virus as per the need, the etc firm will able to avoid the unauthorized access, unwanted
modifications or loss of the important personal data (Crossler and et.al., 2013).

The company will have to use encrypted data for safe access to the emails and social
networking sites like Facebook, Instagram, YouTube, Twitter, etc. This will help in reducing the
chances of misusing the information by the third party. Apart from this, Charity will have to
implement the policies and procedures such as electronic information security policy,
information security user policy, risk assessment policy, access control policy and much more
for developing a strict environment within the workplace for handling the personal information
properly. The firm will have to create some punishment or charges for those who even try to
access the information for misuse. All these efforts will make Charity to secure the personal data
properly and effectively (Siponen, Mahmood and Pahnila, 2014).

f.Archiving of personal data

The last step of the proposal includes archiving of personal data which includes the
transfer of that data which is not in use for a long time. The charity will have to decide in what
manner it wants to store or keep the inactive data. Archiving of personal data will make firm to
use it in future. The organization will get different advantages by implementing this step within
the working environment such as a decrease in the cost of primary storage and volume of data,
increase in the capacity for data storage, removal of inactive data from the backup for improving
the restore and backup performance and many more. Charity can store the archived data in two
manners: Online and Offline. Thus, the firm will have to decide first in what manner it wants to
store the inactive data. If it wants to store online then, the organization will archive the personal
data on disk system which is easy and fast to access. Whereas, in office manner, the organization
will need to archive the personal data in tape or other types of removable media. With respect to
the offline method, Charity will have to use proper archiving systems which provide
comprehensive data protection and archiving services in smarter and safer way. This software
also offers different functions to the user such as mobile device discovery, mobile device
management, antivirus protection, backup and disaster recovery, web protection for customers,
generation of reports for archival data and many more. In the end, the firm will have to use
effective data management protocol for managing the achieved data properly (Peltier, 2013).

Therefore, by following all the above steps properly and effectively Charity will not face
any issue regarding the safety and security of the personal information. Proper implementation of
all these steps will result to avoid risks or threats to the stored confidential information.
CONCLUSION
Thus, from the above study, it is clear that data security and safety plays important role in
the areas of information technology. Some risks like Excessive, Inappropriate and Unused
Privileges, Weak Audit Trail and Unsecured Storage Media are present in the in-house database
of the firm. For handling this, Charity is migrating from the use of an in-house database to the
cloud-based infrastructure i.e. SaaS which can result to occur direct or indirect risks to the stored
personal information. But the new approach can have some risks or threats like a risk to the
Database, Data Security and Privacy, availability of the Hosted Application, etc. In context to
this, proper data risk assessment method, privacy strategy for personal data and personal data
protection strategy has been discussed properly. By following all the suggested methods and
approaches of the cloud vendor, the organization will able to keep their confidential and sensitive
information safe and secure.

REFERENCES
Ahmad, A., Maynard, S. B., & Park, S. (2014). Information security strategies: towards an
organizational multi-strategy perspective. Journal of Intelligent Manufacturing, 25(2), 357-370.

Ahmad, A., Maynard, S. B., & Shanks, G. (2015). A case analysis of information systems and
security incident responses. International Journal of Information Management, 35(6), 717-723.

Cavelty, M. D., & Mauer, V. (2016). Power and security in the information age: Investigating
the role of the state in cyberspace. Routledge.

Cavusoglu, H., Cavusoglu, H., Son, J. Y., & Benbasat, I. (2015). Institutional pressures in
security management: Direct and indirect influences on organizational investment in information
security control resources. Information & management, 52(4), 385-400.

Cherdantseva, Y., & Hilton, J. (2013, September). A reference model of information assurance &
security. In Availability, reliability and security (ares), 2013 eighth international conference
on (pp. 546-555). IEEE.
Chong, S., & Meyden, R. V. D. (2015). Using architecture to reason about information
security. ACM Transactions on Information and System Security (TISSEC), 18(2), 8.

Chua, H. N., Wong, S. F., Chang, Y., & Libaque-Saenz, C. F. (2017). Unveiling the coverage
patterns of newspapers on the personal data protection act. Government Information Quarterly.

Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., & Baskerville, R. (2013).
Future directions for behavioral information security research. computers & security, 32, 90-101.

Garba, A. B., Armarego, J., & Murray, D. (2015). A policy-based framework for managing
information security and privacy risks in BYOD environments. International Journal of
Emerging Trends & Technology in Computer Science, 4(2), 189-98.

Hu, Q., West, R., & Smarandescu, L. (2015). The role of self-control in information security
violations: Insights from a cognitive neuroscience perspective. Journal of Management
Information Systems, 31(4), 6-48.

Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the
effects of socialisation, influence, and cognition. Information & Management, 51(1), 69-79.

Jensen, M. (2013, June). Challenges of privacy protection in big data analytics. In Big Data
(BigData Congress), 2013 IEEE International Congress on (pp. 235-238). IEEE.

Jeong, H. L., & Park, K. W. (2016). A Virtual-Synchronized-File Based Privacy Protection

System.

Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2014). Classification of security threats in
information systems. Procedia Computer Science, 32, 489-496.

Kajzer, M., D'Arcy, J., Crowell, C. R., Striegel, A., & Van Bruggen, D. (2014). An exploratory
investigation of message-person congruence in information security awareness
campaigns. Computers & security, 43, 64-76.

Kenyon, S. M. N. (2016). U.S. Patent No. 9,291,463. Washington, DC: U.S. Patent and
Trademark Office.
Kim, C. W., Cho, N. S., Hur, B. J., Sim, Y. T., & Son, J. H. (2014). Improvement In Protection
Of Personal Information By Korean Red Cross. Vox Sanguinis, 107, 62.

Kim, G. Y., Jung, K. J., Shin, Y., Kim, S., & Kim, J. B. (2015). A Study on Detection of
Malignant Query and Personal Information Leakage through Database Security Log Analysis.

Kolkowska, E., & Dhillon, G. (2013). Organizational power and information security rule
compliance. Computers & Security, 33, 3-11.

Lee, B. Y., Lim, J., & Yoo, J. (2014). Technical Architecture for Implementation and Adoption
of Database Encryption Solution. The Journal of the Korea Contents Association, 14(6), 1-10.

Lee, M. C. (2014). Information security risk analysis methods and research trends: AHP and
fuzzy comprehensive method. International Journal of Computer Science & Information
Technology, 6(1), 29.

Li, Y., Dai, W., Ming, Z., & Qiu, M. (2016). Privacy protection for preventing data over-
collection in smart city. IEEE Transactions on Computers, 65(5), 1339-1350.

Li-ming, W. A. N. G. (2013). Legal Protection of Personal Information: Centered on the Line

between Personal Information and Privacy [J]. Modern Law Science, 4, 008.

Lloyd, I. (2017). Information technology law. Oxford University Press.

Majchrzak, A. (2014). Information security in cross-enterprise collaborative knowledge work.

McCarthy, V., & Plummer, J. (2016). MANAGEMENT INFORMATION SYSTEMS AND

THE PROTECTION OF PRIVATE INFORMATION: AN ETHICAL FRAMEWORK FOR
DECISION MAKERS IN ORGANIZATIONS. ournal of Information Systems Technology and
Planning, 128.

Nazareth, D. L., & Choi, J. (2015). A system dynamics model for information security
management. Information & Management, 52(1), 123-134.

Norwawi, N. M., Alwi, N. H. M., Ismail, R., Wahid, F., & Alkaenay, N. M. (2014). Promoting
Islamic Ethics on Privacy in Digital Social Network For User Data Protection and Trust. ʻUlūm
Islāmiyyah Journal, 13, 115-127.
Peltier, T. R. (2013). Information security fundamentals. CRC Press.

Rerabek, M., & Ebrahimi, T. (2014). A new database of still and moving High Dynamic Range
pictures. In HDRi2014-Second International Conference and SME Workshop on HDR
imaging (No. EPFL-CONF-197849).

Schwalbe, K. (2015). Information technology project management. Cengage Learning.

Shimeall, T., & Spring, J. (2013). Introduction to Information Security: A Strategic-based

Approach. Newnes.

Shropshire, J., Warkentin, M., & Sharma, S. (2015). Personality, attitudes, and intentions:
predicting initial adoption of information security behavior. Computers & Security, 49, 177-191.

Silva, M. M., de Gusmão, A. P. H., Poleto, T., e Silva, L. C., & Costa, A. P. C. S. (2014). A
multidimensional approach to information security risk management using FMEA and fuzzy
theory. International Journal of Information Management, 34(6), 733-740.

Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information
security policies: An exploratory field study. Information & management, 51(2), 217-224.

Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management needs more
holistic approach: A literature review. International Journal of Information Management, 36(2),
215-225.

Spiekermann, S., Acquisti, A., Böhme, R., & Hui, K. L. (2015). The challenges of personal data
markets and privacy. Electronic Markets, 25(2), 161-167.

Tamjidyamcholo, A., Baba, M. S. B., Shuib, N. L. M., & Rohani, V. A. (2014). Evaluation
model for knowledge sharing in information security professional virtual community. Computers
& Security, 43, 19-34.

Tøndel, I. A., Line, M. B., & Jaatun, M. G. (2014). Information security incident management:
Current practice as reported in the literature. Computers & Security, 45, 42-57.

Velummylum, P., Timmermann, J. M., Russell, J. A., Faris, L. J., & Pankey, N. A. (2014). U.S.
Patent Application No. 14/452,399.
Wang, D., & Wang, P. (2015). Offline dictionary attack on password authentication schemes
using smart cards. In Information Security (pp. 221-237). Springer, Cham.

Webb, J., Ahmad, A., Maynard, S. B., & Shanks, G. (2014). A situation awareness model for
information security risk management. Computers & security, 44, 1-15.

Xu, L., Jiang, C., Wang, J., Yuan, J., & Ren, Y. (2014). Information security in big data: privacy
and data mining. IEEE Access, 2, 1149-1176.