Cyber Security Risks: Australian Blood Donation Company Ltd
Brief description of assessment task : This task requires you to demonstrate the ability to conduct an investigation of security management issues in corporate organisations based on a real-life case study as outlined in the background information provided below and write a report.
In your report, you will be required to follow prescribed procedures to evaluate risk levels and the potential impact of threats and vulnerabilities for a real-life organisation.
You will be assessed on your ability to analyse the security requirements and objectives of the organisation as well as the efficacy of the risk management strategies that they’ve implemented.
Background information: Your report should be based on the following real-life case study:
The personal data including the addresses of more than half a million blood donors across Australia was compromised in a massive security breach at the Australian Red Cross that has been blamed on human error.
Following an Australian government enquiry, your security company has been hired to undertake a security analysis in relation to the incident and write a report about cyber security risks.
You can find details of the enquiry at:
Based on the findings of the enquiry, your task is to write a report that includes the following:
Assessment 2: individual problem-solving task 2
- A security risk assessment that addresses future cyber security risks, threats and vulnerabilities to the Australian Red Cross blood donor system (these can be technical or business risks).
- A business requirements analysis that assesses future business requirements of the Australian Red Cross, which may include technical, policy, human and governance aspects.
Executive Summary: The dependency on information technology has led to an increase of cyber security risks so much that it is not only a technology issue but a business one too. Due to augmentation of digitisation within businesses, the vulnerabilities are also vast, if the same is not taken care of adequately. However, in order to deal with such cyber security hazards, the organizations are required to change their mindset wherein they are expected to not only ponder over the risk but also to take necessary action for the mitigation of the same (Campbell, 2017). Similar to the Australian Red Cross Blood Donor, the Australian Blood Donation Company Ltd. also is engaged into the similar work of collecting blood donation from public and for the ease of the same, the organization has also published a website where the potential as well as active donors can feed in their personal data. However, the said system can be a success only if the organization secures its data unlike the Australian Red Cross Blood Donor System.
Security Risk Assessment : The Australian Blood Donation Company Ltd. has recently faced a number of cyber security threats which has led to the exposure of the personal details of the donors. The data of around a lac donors were compromised which comprised of personal and private details as well. To save on man power, a website was formed wherein the potential donors can book their appointment by filling in certain details about themselves, post which a day would be allocated for the donation of blood. However, the said data was subject to cyber security vulnerability. The IT service provider of the company had saved the database’s backup file on a public domain and that too without a strong passcode, due to which the said issue cropped up.
Similar to Australian Red Cross Blood Donor, the said organization too was exposed to various cyber security risks and weaknesses. First very evident risk was that the IT service provider’s background was not checked before. Had the sufficiency of the IT service provider was verified initially then such a leakage would not have happened thereby would have saved the organization from the said security risk which is exposed now. Further to this, there should have been contractual requirements written with regards the safety measures that would have been equal to the sensitivity of the information (Ringrosesiganto.com. 2017).
Although the said security vulnerability that took place cannot be termed as hack, it is rightly said to be a leakage of the data as it was unconsciously and accidently made available on a public website from where it was taken. But however, it cannot be said that it was not a fault of the security system as the end result was that due to the said security risk, the personal and very intimate data about donors were made available to the unknown public and also the fact that a basic passcode was also not given to protect the data from being misused. Along with the same, one of the most shocking event that took place in this entire data leakage incident was the fact that the IT service provider had no specific reason related to the company’s business which would prompt it to locate the User Acceptance Testing (UAT) environment to the public. Last but not the least, another vulnerability noticed in the entire incident with regards security of personal data was that the company did not have a security policy in place which would ensure that the data which was no longer requirement should be deleted from the system and again gained on demand. Due to which the old data also leaked (Hunter et.al. 2016).
Thereby it is understood that there lies a big safety jeopardy, menace and defencelessness by handing over the development and maintenance of the company website to such a company which is unreliable or does not have a good history as it is basically a human error which cannot be ignored as it has led to a big compromise. The entire security policy needs to be revisited and adequate checking of the background of the IT service provider is a must before any such appointment.
Business Requirements: As the name says, the Australian Blood Donation Company Ltd. is not just engaged into the business of collecting blood and giving it to the needy but it works towards strengthening of the entire healthcare division of Australia. The leakage and the increasing number of people willing to donate blood by each passing year makes it a compulsion for the company to revisit its security, technical and governance policies annually and as and when any discrepancies arise.
After the said crisis which had recently hit the company, first and foremost its main concentration would be on analysing the technical part of the system and revisiting its contracts with the IT service provider. Not only that, similar to Red Cross, the said company should also check the technical part of its APP 11.2 which requires it to revisit its data and destroy those which are no longer needed. The same should be done meticulously. Since a blood donor has to disclose various sensitive information, thereby the said technical policy change is a must for the business (Office of the Australian Information Commissioner, 2017).
After the IT service providers negligent act, it is a must for the company to formulate a Third Part Management policy manual and a standard operating procedure as well which would help to take good vigilance care. Further to this, post the appointment of the service provider, the company would in future now update its template agreement so as to ensure to keep on including various data safety and privacy needs. One of the most important inclusion after the said mishap is to restrict the level of data collection with regards the ‘risky behaviour’ part of it so that even if an error occurs, still the company is not in a vulnerable and compromising position as it is now.
Many corporates are eyeing at donation of blood as a method to support their main sustainability programs. We are joining hands with various organizations wherein blood donation camps can be organised and those interested to donate blood can come ahead. Similar to Telstra, there are various other companies who as a part of their sustainability program, provide a day wherein they are to work towards accomplishment of a cause for the benefit of the community which includes blood donation as one of it. Just like Telstra is associated with Australian Red Cross wherein they give their employees paid leave for that day when they wish to donate their blood at the Australian Red Cross, thereby providing an encouragement to them to engage into such activities. They also agree to make payment on behalf of employees as well many a times (Telstra.com. 2018). The Australian Blood Donation Company Ltd. also have to ensure to approach such entities by formulating adequate human and governance policies, who would include such a noble cause a as a part of their internal business plans.
Conclusion: Thus on a concluding note it can be well said that although a breach due to the negligent act of the IT service provider had happened, yet it should not deter the intention of the donors to donate blood. The company is taking all suitable measures and revising its policies so that such a mishap does not happen again. Further to this, donation of blood have also become a part of the business needs of many companies as this would help them to accomplish their sustainability goals and programs mandated by the policies. Technology has led to risks and greater volumes of vulnerability, yet it has made the life easy for the conduct of businesses, hence adequate security measures would ensure that the business associations also increase as well as privacy is maintained.
Campbell,N., (2017), Cyber-Security Is A Business Risk, Not Just an IT Problem, Available at https://www.forbes.com/sites/edelmantechnology/2017/10/11/cyber-security-is-a-business-risk-not-just-an-it-problem/#3f0e06087832 (Accessed on 17th April 2018)
Hunter,F., Mcllory,T., & Spooner,R., (2016), Red Cross data leak: personal data of 550000 blood donors made public, Available at https://www.smh.com.au/politics/federal/red-cross-data-leak-personal-data-of-550000-blood-donors-made-public-20161028-gscwms.html (Accessed on 17th April 2018)
Office of the Australian Information Commissioner, (2017), DonateBlood.com.au data breach (Australian Red Cross Blood Service), Available at https://www.oaic.gov.au/resources/privacy-law/commissioner-initiated-investigation-reports/donateblood-com-au-data-breach-australian-red-cross-blood-service.pdf (Accessed on 17th April 2018)
Ringrosesiganto.com., (2017), Case Study: Australian Red Cross Blood Service data breach: The value of good communications, Available at http://www.ringrosesiganto.com.au/resources/case-study-australian-red-cross-blood-service-data-breach-the-value-of-good-communications/ (Accessed on 17th April 2018)
Telstra.com., (2018), Community & Environment, Available at https://www.telstra.com.au/aboutus/community-environment/volunteering-giving (Accessed on 17th April 2018)