The disclosure by a person, usually an employee in a government agency or private enterprise, to the public or to those inauthority, of mismanagement, corruption, illegality, or some other wrongdoing. Whistleblowers often face reprisals from their employer, who may suffer reputational damage as a result of the whistle being blown, or from colleagues who may have been involved in the illicit activities. In some cases reprisals become so severe that they turn into persecution. In some cases reprisals come from legal channels, particularly if the whistle has been blown for illegitimate reasons.Protection of whistle blowers is an important focus for the legal system, as is incentivising whistle blowing when there are many reasons stopping employees from doing so. In the UK, the Public Interest Disclosure Act 1998 is the basis of legal protection of whistle blowers. Previously disclosures had to be in the public interest, but new legislation enacted in late June 2013 changed this so that disclosures had to be in good faith.
The blockchain technology is probably the best invention since the internet itself. It allows value exchange without the need for trust or for a central authority. Today we have three options to manage this transaction:
- We can trust each other.
- We can turn the bet into a contract. With a contract in place both parties will be more prone to pay, however, should any of the two decide not to pay, the winner will have to pay additional money to cover legal expenses and the verdict might take a long time. Especially for a small amount of cash, this doesn’t seem the optimal way of managing the transaction.
The crucial task for HR department when it comes to information security is to be proactive rather than reactive. It is indecorous just to rely on your IT departments to make sure staff are educated about data loss and how to prevent it.
HR professionals has to ensure that employees comply with security policies.
The purpose of this standard is to set rules that apply before, during and after the termination of employment
The controls in this section ensures that those people who are under the organization’s control and can affect information security are fit or appropriate for working and know their responsibilities, and that any changes in employment conditions will not hamper information security.
The following terms is used to identifies who within the organization is Accountable, Responsible,Informed or Consulted with regards to the policy.
- Accountable :- The person who has accountability and authority for the policy.
- Responsible :- The person(s) responsible for developing and implementing the policy.
- Consulted :- The person who is consulted prior finalizing the policy implementation.
- Informed :- The person to be informed after policy implementation.
There are 3 areas of human resource security –
Ø Prior to employment – In this roles and responsibilities for the job are defined. Also the access control over sensitive data must be defined. During this phase, contract terms should also be entrenched.
Ø During Employment – Employees who have access to sensitive information should receive periodic reminders regarding their roles and responsibilities.
Ø Termination and change of employment – This phase includes the return of any assets of the organization that was held by the employee. To prevent unauthorized access to sensitive information, access must be revoked immediate upon termination of an employee who has access to such information.
The objective of human resource security is to ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.
The confidentiality,integrity,availability of the data is very important for the good governance Failure to adequately secure information increases the risk of financial and reputational losses. This information security policy outline approach to information security management.
It provides the guiding principles and responsibilities necessary to safeguard the security of the information systems. Supporting policies, codes of practice, procedures and guidelines provide further details. The main idea is basically to Provide the principles by which a safe and secure information systems working environment can be established for staff, students and any other authorized user. Information security provision and the policies that guide it will be regularly reviewed, including through the use of annual internal audits and penetration testing. Information security policy is nowadays a boom through which the organization should know why they are using the particular control. What is need of the particular control, whether the user is being informed or not. In many cases, the executives have no idea as to how information security can help their organization, so the main purpose of the policy is that the top management defines what it wants to achieve with information security.
The second purpose is to create a document that the executives will find easy to understand, and with which they will be able to control everything that is happening within the ISMS – they don’t need to know the details of, say, risk assessment, but they do need to know who is responsible for the ISMS.https://advisera.com/
A.9. Access Control
To begin with “ if you have no access control means you have no security at all.”
Access control is one of the main building blocks of information security. It is to be designed as it is both secure enough and acceptable to users.
The purpose of this document is to specify the rules for access to various systems, sensitive information and equipment facilities.
Using an access control system allows you to manage access or entry to almost anything like file access, workstation access, printer access and in our case, door-, facility-, building or office access.
There are two main types of access control – Physical and logical .
Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access limits connections to computer networks, system files and data.
Basic components of access controls are :
- User facing (access card)
- Admin facing(API)
- Infrastructure(Electric door lock)
Access control policy make sure that both logical and physical access to information system are in place to ensure the protection of information system and sensitive data.
Factors of authenticating information :-
- Password , PIN (user knows)
- Smart card (user has)
- Fingerprint (user is)
For computer security, access control includes the authorization, authentication and audit of the entity trying to gain access. Access control models have a subject and an object. The subject – the human user is the one trying to gain access to the object – usually the software. In computer systems, an access control list contains a list of permissions and the users to whom these permissions register. Such data can be viewed by authorized people and not by unauthorized people and is controlled by access control. This allows an administrator to protect information and set privileges as to what information can be accessed, who can access it and at what time it can be accessed.
Business continuity is a proactive plan to avoid and mitigate risks which might create a disruption in the delivery of service to your customers or abrupt your operations.
Business continuity management outlines the steps should be taken before, during and after an event to maintain the financial viability of an organization. Business continuity management elaborates a framework for identifying organization’s risk of exposure to internal and external threats. BCM includes disaster recovery, business recovery, crisis management, incident management, emergency management and contingency planning.
Information security continuity has to be embedded into the organization’s business continuity management systems(BCMS). An information security continuity plan elucidates the necessary procedure that can be executed on arrival of adverse situations such as a disaster or calamity. The organization needs to establish, document, implement and maintain processes, procedures, and controls to ensure the required level of continuity for information security is achieved during an adverse situation. The organization has to verify & implement appropriate information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. Also, the organization needs to maintain the redundancy of information processing facilities such as offshore backup systems, data warehouses, etc. to meet the availability requirements. BCMS encompasses all the above factors while creating a business continuity plan.
Thus, Business Continuity Management helps an organization to achieve the following:
- Minimise the effect of a disruption on an organization.
- Reduce the risk of financial loss.
- Retain company brand, image & reputation, and give staff, clients and suppliers confidence in the organization’s services.
- Enable the recovery of critical systems such as facility, data, and assets within an agreed timeframe.
- Meet all legal and statutory obligations.
- Ensures continuous delivery of critical services and products to customers.
- Establish Training programs for the employees about the necessary steps that need to be taken during the time of any unforeseen event.