Auditing Assignment: Case Analysis Of Service NSW Data Breach
Question
Task:
Case Study: Service NSW Data Breach
On September 7th 2020, media reports showed that the Service NSW, the New South Wales state’s biggest data collection agency, suffered a massive data breach through a cyber-attack. Personal data of 186,000 customers and staff were leaked after a cyber-attack occurred through phishing emails earlier this year, in which 47 employees had their email accounts compromised. A four-month investigation, which began in April, concluded that roughly 3.8 million documents had to be analysed to assess the severity of any possible breaches.
"This rigorous first step surfaced about 500,000 documents which referenced personal information," Service NSW chief executive Damon Rees said. "The data is made up of documents such as handwritten notes and forms, scans, and records of transaction applications."
The total size of the breach was 738 gigabytes of data, but not all of that was personal information, a spokesperson for Service NSW said. There is no evidence that individual MyServiceNSW account data or Service NSW databases were compromised.
Customers who have been identified as "at-risk" will be notified by mail, which will include instructions on how to get support. The department said it "will never call or email a customer out of the blue requesting customer information about this or any other data breach".
Based on the above case study, you have to prepare an auditing assignment report and then a subsequent presentation to answer the followings:
- objectify your audit focus and scope
- Which IT resources of Service NSW, are you planning to audit? And how can you detect regularities, abnormalities in them?
- What suggestions, recommendations do you want to provide to Service NSW based on your findings?
- As IT auditor, what are the rules and regulations that you plan to adhere to?
Answer
1. Introduction
The current auditing assignment is focused on examining the process of data breaching in the present case. It is the process of taking confidential information without any permission. Data breaching is a type of cybercrime that is mainly done to steal business information. As a result of data breaching a company faces a financial crisis, privacy hazards, and the overall company strategy is affected by this cybercrime. Data breaches can do in different ways like malware infusion, third party involvement, and lack of commitment of the company employee. In this report data breaching effect on NSW service is analysed and planning is developed to improve the data privacy in a company.
2. Overview of the Case Study
Service NSW is a service agency based in New South Wales. It is considered the biggest data collection agency in the town. Service NSW has 73 regional centres that assess documents related to the government works through email, mobile application, face-to-face interaction, and online. On 7th September 2020, Service NSW faced a massive data breaching incident that revealed personal data from 186,000 customers. The cyber-attack faced by Service NSW through an email phishing incident. 47 employees from Service NSW have been exposed through their email accounts. The company had faced a four-month investigation process that started in April.
It has generated a conclusion that over 3.8 million documents have faced the data breaching incident and the investigators have to check these files to understand the severity of the incident.The Chief Executive of Service NSW, Damon Rees said that about 500,000 documents that contain personal data, such as handwritten forms, notes, scans, and other application transactions were exposed to the cyber-attacker. The size of the total data breached documents was 738 gigabytes. However, not all the information that was exposed through this incident belonged to personal information. The individual service account on My ServiceNSW has not contained any evidence of facing a cyber-attack.
3. Explanation on Audit Focus and Scope
The strong relationship between the Service NSW clients and auditors helped in restricting the data breaching incident. The main focus of the current audit is establishing an audit system that will focus on,
- The implementation of the security system in the cloud computing process at the Service NSW server to encrypt the documented data
- Ensuring the clients and employees have changed their previous password and user ID to secure themselves from further cyber attack
- Addressing the current issue through email notification to the affected individuals
- The notifications given to the affected individuals from the data breaching incident will include the instructions for further support
In the current scenario, multi-structural organizations like Service NSW facing more damage from cyber-attack for their increasing usage of information systems (Jusas et al., 2019). The effective focus from the audit department will be,
- The internal management and technical department at Service NSW should provide an effective data management system in their collected data
- The improved performance of data management will make the organization to sustain its security control measurements
- External requirements, such as generating string password by the employees and clients, maintaining the private and public server for data management process, and regular update on the security system at the cloud processor are important to be fulfilled
- Risk assessment inherent should be the main focus of the audit scope at Service NSW in protecting confidential and sensitive information
4. Planned IT Resources of NSW for Audit
Being the biggest data collection agency in New South Wales, Service NSW needs to strengthen its technology devices with strong security codes and detection processes to prevent any unauthorized network. The implementation of an encryption control system within the cloud servers will help dynamic organizations like Service NSW in enhancing cyber-security (Kogiso, 2018). The sustainability of an internal storage system within Service NSW with the help of cloud computing technology is exposed to public servers.
It is the responsibility of the auditors and IT developers within the Service NSW agency to strengthen their security control. On the other hand, it has been widely requested to the customers and employees of the organization to change their password and user ID to secure their existing account for further cyber vulnerabilities. The initial planning might not cover the extensive part of the vulnerabilities, but it is effective for the first-stage security protection process.
5. Analysis and Findings from the Implemented IT Resources in Audit Activities
The development and adoption of cloud computing have become essential for the business and corporate sector (Bhardwaj and Goundar, 2019). The strength of this technology is in documenting a vast amount of data in real-time through shared public and private networks. IT system within Service NSW helps in cope up with the changing market demands and sustaining a security system to prevent the organization from facing cyber-attack incidents (Bhardwaj and Goundar, 2019). The implementation of IoT helps in adjusting to the ever-changing market with advanced technologies.
There is a pool of data within a cloud service and effective cyber-security can make the process more reliable. The considerable advantages of cloud computing, such as its flexibility, cost-efficiency, and time-effectiveness, faces criticism from the growing cyber-security issues (De Donno et al., 2019). The analysis of the new implemented IT measures at the audit activities of Service NSW can be,
Findings from IT Resources |
Efficiency |
Analysis |
Cyber-security policy |
High |
The coordination of the cyber-security policies with the help of other resources helps in improving the protection of the devices that are vulnerable in front of cyber-attacks (Dean and McDermott, 2017). The implementation of the policy will make the employees and clients maintain some official rules and regulations that can help in preventing future data breaching incidents. |
Regular system and activity update |
High |
The regular reporting from the technical and data documentation department to the security managers will help in keeping the system updated. During the accessibility of external data, the security manager needs to check the authentication and authorization of the individual before providing the required data. It will maintain unauthorized interventions. |
Strengthening Password and User ID |
Medium |
At the initial stage, it was instructed to the employees and clients to change their previous password and user ID linked with the Service NSW. The strengthening of the new password and user ID will help the organization in starting their new security maintenance process effectively without using anything from the previous system. |
Regular monitoring and maintenance of security policies |
Medium |
It is the most important findings after the implementation of the new security system in the cloud computing process. The maintenance of the security policies will include or discard any rule that is effective for the organization. It will also help the management in detecting any abnormalities or irregularities in the security system. |
6. Detection of Regularities and Abnormalities of Chosen IT Resources
Detection process |
impact |
Detection of regularities and abnormalities in IT resources |
Implementation of governance data security policy |
High |
· Implementation of a data security policy will develop privacy in the workplace. And if the employee of the company is involved in the data breaching process they will get the threat from the data security policy of the company. · Employees will concern about the risk of data breaching. If the policy is weak it will enhance the risk of data breaching in the company (Alqahtani, 2017). So, a data security policy has a great impact on the prevention of data breaching. · The policy will help the company to identify the hacker as an outsider or insider of the company and punishment will put an impact on others in the office. |
Regular reporting |
High |
· Regular reporting is an essential tool for detecting the reason for data breaching. It will help to identify the source of data breaching. · Regular reporting improves workplace safety and enhances data security level which is necessary to reduce the data breaching rate. · Only policy implementation cannot prevent data breaching in company regular reporting enhances the efficiency of detecting abnormalities in the workplace. |
Analysis of new technology |
medium |
· Analysis of technology is very important before the implication of any new technology. · Data breaching is occurring when more personal, sensitive information is transfer into the network (ONIK, Chul-Soo and Jinhong, 2019). When the company uses new technology for company financial growth but the analysis is necessary. · The analysis helps the company to develop security for handling new technology. It will reduce the rate of data breaching. · It will help the company by informing about the risk of using new technology. |
Increasing awareness among employee |
medium |
· Increasing awareness among employees is the most essential step to make the data security policy more effective. · Data breaching is the incidence of vulnerability in data security (Sharma, 2018).To reduce the rate of harassment in the company the employee of the company should more careful about their work. · It is essential for detecting the risk in the workplace for developing the incidence of data breaching. · If there is any malware action on the web the employee should inform the company because little negligence develops the chances of data breaching. |
Monitoring of the web function |
High |
· Monitoring of the function of the employee on the web is necessary. · Data breaching is developed sometimes for the lack of commitment to the workplace. · Though the company sometimes provide security alert about the developing risk in the web. It is necessary to take the action according to the risk rate. · Monitoring of the web function helps to analyze the risk factors for data breaching and to make the security stronger. |
7. Suggestion and Recommendations on Provided NSW Audit Service
Data breaching is a serious threat to the data collection agency. It affects the overall company and the employee of the company is also affected by this. To reduce the incident of data breaching in data collection agency it is necessary to develop their data security policy. Big data analytics is an essential component for data collection which also possesses the risk of data breaching. Cloud computing is another tool for data collection which also increases the data breaching risk (Kumar, Raj and Jelciana, 2018).To reduce the risk rate company should develop the security process for data collection.
- The employee of the workplace should be committed enough otherwise it will possess the chance of data breaching. They should aware enough the messages are sent as a security alert. Negligence in changing security passwords will enhance the risk of data breaching. The managing team of the company should monitor their employee action. Every little suspicious action should evaluate properly and necessary action should be taken before data breaching.
- Policy implementation is an essential step for prevention but before adopting any new technology company should analyze its risk and benefits to develop security. Losing data is adversely affected the company because these data include various strategic information of the company.
- Cloud computing is an essential method for data collection. Along with facilities, it provides safety risk (Basu et al., 2018). The analysis is necessary to develop stronger security to prevent further risk in the company. Analysis of new technology will help the company to develop a clear framework for data security.
- Regular monitoring is very important to identify the risk factor in the process, the source of data breaching in a company. Regular monitoring helps to develop a transparent working process in the company.
- Data breaching is the process of stolen information from the website which ultimately affects the business growth which also affects the privacy of the employee. Data breaching is done at all levels so it affects the overall company. To prevent this and secure the business privacy development of data security along with monitoring of the work and regular reporting are necessary steps which are needs to be taken into consideration to make the data security more efficient for the company and employee.
- Increasing security alert helps to develop the concern in employee about data breaching and the company also know the current situation of data security standard. On the basis of which data security will developed.
8. Rules and Regulations Planned According to the IT Auditor
In-Service NSW, data breaches happened and numerous data has been lost. The NSW service has already alerted the people who are at risk and told them not to open any random emails. The agency should have maintained some rules to prevent data breaching.
- The agency should limit access to the most valuable data in the system. The agency should apply the rules to limit access to the system. It will help to prevent data breaches in the agency.
- The agency should put General data Protection regulations to maintain the security of the data and it can also prevent data breaching in the system (Ishii and Komukai, 2016). Employees of the agency must not visit any unethical website during working hours.
- The agency should have conducted an employee security awareness training program to know about the data breaching and how to prevent it. If the employees become safeguarding the workplace, it can prevent data breaching in the system.
- Data breaching has become more of a threat to the agency. It causes a loss of data in the system which affects the agency. The agency should analyze the reason for the data breaching and should implement strategies by using the database administrators which can help to secure the sensitive data in the organization (Pratt-Sensie, 2020). The agency also creates an advanced infrastructure to prevent data breaching.
- The agency should put a regulation about updating the software on regular basis. If the systems are not updated regularly, it can make the system vulnerable which the attackers can attack easily. Through the up to dated programs, can strengthen the networks and can prevent attacks from the system.
- Data breaches have become a challenge in the workplace and can also affect the economy of the agency. Some private data might get lost and can affect the agency (Ibrahim et al., 2020). The agency should have implemented advanced technologies that can help the organization prevent future data breaches.
- The auditor can also help the agency to prevent data breaching. Through the audit processor and testing, the identification of the reason for data breaches can be identified (Liu, 2020). The auditor can help the agency to develop a cyber breach resource plan to prevent data breaches. Cyber breach resource plan can make the agency to prevent the data breaches.
9. Conclusion
In service, NSW has faced data breaching in September and has lost 186,000 data of the customers. The agency has lost 738 gigabytes of data which has caused a loss in the agency. In the current report, the auditor has objectified the scope of the audit and helps the agency to set some rules and regulations to resolve the data breaching process. It can also help the agency to improve the data breaching in the agency. With the help of advanced technologies and data protection regulation, data breaching can be prevented in the agency. It will help the agency to save sensitive data in the Service of NSW.
10. References
Alqahtani, F. H. (2017) ‘Developing an information security policy: a case study approach’, Procedia Computer Science, 124, pp. 691–697.
Bhardwaj, A. and Goundar, S. (2019) ‘A framework to define the relationship between cyber security and cloud performance’, Computer Fraud & Security, 2019(2), pp. 12–19.
Dean, B. and McDermott, R. (2017) ‘A research agenda to improve decision making in cyber security policy’, Penn St. JL & Int’l Aff., 5, p. 29.
De Donno, M., Giaretta, A., Dragoni, N., Bucchiarone, A. and Mazzara, M., 2019. Cyber-storms come from clouds: Security of cloud computing in the IoT era. Future Internet, 11(6), p.127.
K. and Komukai, T. (2016) ‘A comparative legal study on data breaches in Japan, the US, and the UK’, in IFIP International Conference on Human Choice and Computers. Springer, pp. 86–105.
Kogiso, K. (2018) ‘Attack detection and prevention for encrypted control systems by application of switching-key management’, in 2018 IEEE Conference on Decision and Control (CDC). IEEE, pp. 5032–5037.
Kumar, P. R., Raj, P. H. and Jelciana, P. (2018) ‘Exploring data security issues and solutions in cloud computing’, Procedia Computer Science, 125, pp. 691–697.
Liu, L. Y. (2020) ‘Do Auditors Help Prevent Data Breaches?’ The University of Chicago, pp. 1–66.
ONIK, M. M. H., Chul-Soo, K. I. M. and Jinhong, Y. (2019) ‘Personal data privacy challenges of the fourth industrial revolution’, in 2019 21st International Conference on Advanced Communication Technology (ICACT). IEEE, pp. 635–638.
Pratt-Sensie, A. A. (2020) ‘Security Strategies to Prevent Data Breaches in Infrastructure as a Service Cloud Computing’, pp. 1–193.
Sharma, N. (2018) ‘Effect of Data Breaching on Socio-economic Condition of Countries from Social Networking Sites’, pp. 19–23.