Page 150 - Trust in ICT 2017
P. 150
2 Trust in ICT
– Change management: This risk is associated with inadequate change management that includes
user involvement and training. It includes the process changes of a system that are both
communicated and implemented.
– Data: This risk is associated with inadequate data management controls which include both the
security/integrity of processed data and the effective management of databases and data
structures.
Focusing on data integrity, attacks result from intentional, and unauthorized modification of data. There are
several attacks on data integrity such as abuse of trust, forgery, and unauthorized use, etc. The loss of data
integrity is triggered by the following situations [39]:
– Changes to access permissions and privileges;
– Inability to track the use of privileged passwords, particularly when passwords are shared;
– End-user errors that impact production and manipulation of data;
– Vulnerable code-in applications (e.g. backdoors);
– Weak or immature change control and accreditation processes;
– Misconfiguration of security devices and software;
– Incorrectly or incompletely applied patches;
– Unauthorized devices connected to the private network;
– Unauthorized applications on devices connected to the private network.
In order to improve data integrity, the adoption of best practices needs to be complemented by formalizing
accountabilities for data processes that support and enhance data security. For the ICT service environments,
the good practices for data integrity include [39]:
– Taking ownership of data and accountability for data integrity: When IT services and operations
are outsourced, and when these are provided in-house, it is easy to believe that the data are owned
by the IT service providers. In this situation, the IT service provider is responsible for maintaining
confidentiality and integrity. Ownership requires a value assessment in an estimation of the
potential cost of lost data integrity, including direct financial losses (as is the case in fraud or major
operational disruption), legal costs, and reputational damage.
– Access rights and privileges: The principles of "need to know" and "least privileged" are good
practice and, in theory, are not difficult to apply. The social networking concept that everyone is an
information producer allows greater openness and sharing. It forces to resist and challenge the
implementation of these principles. The processes for requesting, changing, and removing access
rights should be formalized, documented, regularly reviewed, and audited. It is common for
organizations not to have a complete and updated inventory of who has access and what is a
complete list of user privileges.
Against transparency: Risks of open data
Open data is a growing class of available information assets that increasingly provides additional big data
analytics. It offers a lot of business benefits including strategy insights, market and trend awareness, and
even direct monetization. By consuming open data, people expose themselves to a variety of risks during the
purchase of syndicated data from information brokers and the use of internal enterprise data.
There are many potential gains for a wide range of data to be used from financial transactions with business
partners to high-level information such as tacit knowledge or know-hows, for example, on how bumblebees
respond to different flowers. Open data enables accountability if the facts are there for all to see. Open data
empowers communities from inputs of the truth about crime rates, educational achievement, and social
services, etc. Open data even drives economic growth while more small companies are springing up that
extract useful information from data. Open data may even lead to more accurate and better decisions since
a wider variety of interested parties have the opportunity to examine the facts.
142
