IT Risk Management: Data Security Policy for Regional Garden

Verified

Added on 2022/08/23

AI Summary

This report outlines an IT risk management policy developed for Regional Garden, an organization with a data center housing crucial business information. The policy's primary objective is to safeguard the integrity of the organization's data and support its operational goals. The policy's scope encompasses employees, the IT department, and the data administrator, impacting data access rights through stricter controls. Employees are responsible for accessing only necessary data and requesting access through the data administrator. The IT department is tasked with bolstering data center security. Mandatory requirements include defining data access levels based on employee designation, prohibiting data disclosure, ensuring valid data access requests for organizational purposes, and requiring data administrator approval for all requests. Access is limited to the office premises via the organizational network, with exemptions for top operational managers and in emergency situations. The report also includes a glossary and a bibliography of relevant sources.

Running head: IT RISK MANAGEMENT
IT Risk Management
Name of the Student
Name of the University
Author Note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

1IT RISK MANAGEMENT
Brief Overview:
The Regional Garden is an organization which runs several numbers of gardening
enterprises. This organization also runs a Nursery section that sells garden and plants to the
public. This organization also provides important advices regarding gardening.
In the current aspect the Regional Gardens is having small data centre and in this data
centre server and the data storage of the organization is located. Now, it is very much important
to ensure proper security of this data centre so that proper functionality of the organization can
be ensured. Thus, in this aspect policy will be developed for preserving the integrity of Regional
Garden’s data. In the following section this policy is discussed.
Policy Purpose and Rationale:
Here, the main purpose of developing this policy is protection of the business data that is
stored in their data centre. This business data is very much important to ensure that business
operational in perfect way. Also, another purpose of this policy is helping the Regional Gardens
to achieve their organizational goals.
Policy Scope:
Through the implementation if this policy various of individuals in the organization will
be impacted directly. First, the employees of the organization will be impacted by the
implementation of this policy. In this aspect, the information technology department of the
organization will be also impacted. Finally, the data administrator of the organization will be also
impacted due to implementation of this scope.

2IT RISK MANAGEMENT
This policy will actually effect the data access policy rights. A more restricted type of
data access policy will be implemented and due to that data access rights of the organizational
employees will be effected. Also, there will be some changes in the role of data administrator for
ensuring protection of the data.
Roles and Responsibilities:
To ensure that data protection policy is placed properly in the organization, proper roles
and responsibilities need to be ensured from the end of employees. Here, the employees should
only be accessing the organizational data that they required at instance of time. To access the
data, employees should initiate an access request to the data administrator. Also, it is the
responsibility of employees that they should not disclose any type of organizational data. Here,
the main role of IT department is strengthening the security of their data centres. The data
administrator need to evaluate the data access request from the employees then need to provide
the access to data if eligible.
Mandatory Requirements:
To ensure that the policy is properly placed in the organization some mandatory
requirements need to be follows. These requirement is discussed below.
 An appropriate data access levels should be created in the policy and level of data access
will be depending on the designation of the employees. Higher designation means high
level access to the data.
 All the employees who are accessing the organizational data should not be disclosing the
data at instance of time, even in the organization also.

3IT RISK MANAGEMENT
 Data access request should be made with valid reasons and it should be for some
organizational purpose only. Data access requests made for other than organizational
purpose shall not be entertained.
 All the data access requests made the employees should be approved by data
administrator irrespective of access request made by some employees who are having a
higher designation or a lower designation.
 Data access requests made by the employees without any valid reasons should be rejected
immediately.
 The security of the data, stored in the data centre of the organization should be ensured
by the IT department of the organization.
 Access to the organizational data should be provided within office premises only and it
should only be accessed through organizational network service. Access to those data
using personal network service is prohibited.
 Any type of remote access to the organizational network will not be provided.
Exemptions:
Regarding this policy there are some exemptions also present. These exemptions are the,
 Top operational managers and the information managers can access the organizational
data stored in the data centre of the organization without the permission of data
administrators. These designations include CTO, CEO, CIO and Directors.
 In any type of emergency situations all the data access requests can be rejected though a
valid data access request is made by the employees.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

4IT RISK MANAGEMENT
Glossary:
Term Definition
IT IT means the information technology which is utilization of
computer systems for storing, retrieving, transmitting and
manipulating of data.
Data Access Level Data access level defines the set of restrictions or permission
provided to a set of data.
Data Access Request Data access requests defines the request made by a user for
accessing a specific set of data.

5IT RISK MANAGEMENT
Bibliography:
Dyke, S. O., Saulnier, K. M., Pastinen, T., Bourque, G., & Joly, Y. (2016). Evolving data access
policy: the Canadian context.
Huang, Q., Wang, L., & Yang, Y. (2018). DECENT: Secure and fine-grained data access control
with policy updating for constrained IoT devices. World Wide Web, 21(1), 151-167.
Rifi, N., Rachkidi, E., Agoulmine, N., & Taher, N. C. (2017, October). Towards using
blockchain technology for eHealth data access management. In 2017 Fourth
International Conference on Advances in Biomedical Engineering (ICABME) (pp. 1-4).
IEEE.
Yang, K., Han, Q., Li, H., Zheng, K., Su, Z., & Shen, X. (2016). An efficient and fine-grained
big data access control scheme with privacy-preserving policy. IEEE Internet of Things
Journal, 4(2), 563-571.