Unit 4: Data analytics
Area of Study 2: Cybersecurity: data and information security
Outcome 2
Respond to a teacher-provided case study to investigate the current data and information security strategies of an organisation, examine the threats to the security of data and information, and recommend strategies to improve current practices.
Examples of learning activities
- Create a table that includes the advantages and disadvantages of the three main types of networks: wired, wireless and mobile networks. For each of the network types, students describe an example of where the network would be used.
- Provide examples of each of the three types of threats: accidental, deliberate and event-based. For each of these threats, students:
- document the possible impact on both collected data and refined information
- create a list of mitigation strategies that can be used to eliminate or greatly reduce the impact of these threats.
Example of threats could include:
- staff member damages equipment, unintentional power outage, user access rights to files is insufficient to prevent inappropriate activity
- viruses/malware, hacks to break authentication – e.g. phishing, Trojan horse threat on program installation
- fire, flood, earthquake or extended power outage.
- Conduct an in-class debate on the following topic: ‘Physical security controls are more important than software security controls in keeping organisational data secure’. Focus particularly on biometrics vs. encryption.
- Students create a one-page written report or poster that explains the importance of keeping certification up to date, with reference to the website:
globalsign.com
- Students list the steps that an organisation would take to encrypt and decrypt data on their storage devices; explain whether this process should be completed manually or automatically; and justify the response.
- Discuss examples where data does not have integrity by referring to the characteristics of data integrity. Discuss how these examples will cause an organisation to have significant concerns regarding their day-to-day operations.
- Students interview a range of staff with different responsibilities in their school
(e.g. IT manager, classroom teacher and senior leadership team member). Questions cover the data they use and interpret in their daily work and how the information they generate is important to their daily work.
- Discuss why data and information security needs to be taken seriously by organisations, with reference to data being an asset and business reputation.
- Students list and describe some examples of diminished data integrity in databases and describe strategies for reducing these problems.
- Create a table listing the Australian Privacy Principles (Privacy Act 1988), the corresponding Information Privacy Principles (IPP) (Privacy and Data Protection Act 2014) and the Health Privacy Principles (HPP) (Health Records Act 2001) that relate to the collection, storage, communication and disposal of data and information. Explain the main differences between each piece of legislation.
- Brainstorm a list of unethical behaviours that a member of an organisation could participate in when considering the following: data storage, data access, system availability, pressure from supervisors and selling a product. Then refer students to the
Australian Computing Society (ACS) Code of Ethics and discuss how applying the six values of the code can provide professionals with a framework to resolve ethical dilemmas.
- Discuss the reasons and potential consequences for organisations if they do not plan for: a) backing up data, b) evacuating in the case of a disaster, c) restoring data and d) testing that their disaster recovery plans work. Refer students to the following articles for additional reference:
abc.net.au
business.gov.au
- Identify and discuss traditional media articles that highlight significant data breaches in organisations. Discussion should focus on the impact to stakeholders and the organisation’s reputation.
- Develop a rubric with criteria for providing an assessment of security strategies in a number of scenarios. Include the following measures of effectiveness in the criteria: currency of files, ease of retrieval, integrity of data and security.
-
Develop a rubric with criteria for providing an assessment of security strategies in a number of scenarios. Include the following measures of effectiveness in the criteria: currency of files, ease of retrieval, integrity of data and security.
Detailed example
Assessing security strategies
Students develop a rubric containing criteria to provide an assessment of security strategies in a number of teacher-provided scenarios. These scenarios should include at least one effective and one ineffective security strategy in each of the four main effectiveness measures listed in the
Terms used in this study (docx - 357.7kb) on pages 8–11 of the study design (currency of files, ease of retrieval, integrity of data and security).
Students construct a rubric by matching statements to the effectiveness measures, as in the example below.
Teachers provide students with a scenario or case study that highlights two effective and one ineffective security strategy.
Scenario
The Joylands Grammar School Council completes regular backups, which are kept both on and off site, and tests the process regularly (every three months) to ensure that their data is able to be fully restored in the case of a significant event. Each banking transaction is reconciled three months after the event to reassure parents that the organisation is worthy of trust when handling finances. Each month, there is a council meeting where future financial projects are discussed and the three-month-old reconciliation reports are provided as ‘the current state of the Joylands’ finances’.
Students use the rubric to assess the effectiveness of the security strategies of the organisation. As part of their assessment, students write a short comment that addresses reasons for their ratings and assessment.
Example rubric solution:
| Effectiveness measure | Low level | Medium level | High level |
|---|
| Currency of files | All files are too old to be of relevance and may ensure inaccurate decisions are made by the organisation. | Some files are not current and present an issue for reconciliation or being useful for the organisation to make accurate decisions. | Every file contains current data for the organisation’s usage requirements and ensures accurate decision-making by the organisation. |
| Ease of retrieval | Data cannot be retrieved from storage devices. Manual data entry is required to restore organisation-critical data and information. | Data can be retrieved mostly using documented procedures. Occasionally data is not able to be quickly restored due to location of backup media. | Data can be quickly and easily retrieved by the organisation using clearly documented procedures and readily available backup media. |
| Integrity of data | There is a large number of inaccurate and duplicate records that cause inefficiency in the way the organisation runs. Unreliable sources are used to collect data and backups are taken in a random ad-hoc manner. | Most data is stored well with limited inefficiency caused by duplicate and incorrect records.
Data backups are scheduled but restoration tests are rarely conducted. | Data is stored with a high level of confidence that there will be few duplicate records and that they have been received from reliable sources.
Data restoration for backups are regularly and successfully tested. |
Secure | Data and information stored in file folders have insufficient software and physical controls to protect the organisation from loss or inappropriate access. | Most files are protected using appropriate security controls. | All files are protected using both physical and software security controls that are appropriately applied for the needs of the organisation. |