Final Exam Questions
1. How would you communicate a data security policy that required software checking of employees’ emails?
2. What elements should a data security policy for a bank include?
3. Employee data theft most frequently occurs with new employees or when an employee has given notice and is leaving. How would you deal with these two very different issues?
Case Study: Data Security
Communicating a Data Security Policy
If I was put in charge of communicating a data security policy that that required software checking of employees’ emails, the first thing I would do would be to make sure I fully understand the policy myself. I would be unable to effectively communicate the new policy to the employees if I did not fully understand it myself; if I had any questions about the policy I would speak to the human resources professional in charge of the policy for clarification. Once I had a full understanding of the policy I would set up employee meetings by department.
I would begin each meeting by discussing risk management; I would explain that risk management “involves responsibilities to consider physical, human, and financial factors to protect organizational and individual interests” and that the goal is to not only protect company information, but also employee information (Mathis, Jackson, & Valentine, 2014, p. 482). Once I ensured that the employees understood risk management I would then introduce the data security policy that utilizes software checking of employees’ emails. I would describe the policy completely and inform the employees that the policy is being put in place to prevent both company and personal data from being stolen or leaked. I would then open the floor to any questions the employees had on the new policy. Once all the questions had been answered I would pass out a form for all the employees to sign and date stating that they understood the policy and gave their consent to the company. To ensure that future employee meetings to discuss the policy are not required, I would add the policy to all future employment contracts.
Elements of a Bank’s Data Security Policy
When considering the elements needed for a data security plan for a bank, it is important to first understand what a data security policy is. A data security policy is defined as:
“A set of policies issued by an organization to ensure that all information technology users within the domain of the organization or its networks comply with rules and guidelines related to the security of the information stored digitally at any point in the network or within the organization's boundaries of authority”(Techopedia, n.d.).
Understanding that the data security policy is in fact not just one policy, but a set of policies, means that different policies can be written for the various areas of risk management. For instance, one policy should be written to allow the data security program to determine the vulnerabilities in the bank’s internal and external software. Another security policy should be created to deal with the vulnerabilities found in the bank’s internal security and another for the bank’s external security. A separate policy should be written to help reduce data security problems that come with human error; this policy would involve training the bank’s employees in computer security. The data security program should also include a data recovery program or a data backup that allows the bank to recover information or have access to uncorrupted data in the event of a virus or data corruption. Lastly, there need to be a policy that focuses on the risk management of the employees themselves; this policy would need to factor in the health, safety, and security of the bank’s employees in order to determine the risk factor of each employee. The employees with higher risk factors would require extra data security or monitoring based on the elements of their high risk level.
Employee Data Theft Solutions
Employee data theft most frequently occurs with new employees or when an employee has given notice and is leaving. These two issues, while very different, can be dealt with in a similar manner. A data security policy is “often considered to be a living document, meaning that the document is never finished, but is continuously updated as technology and employee requirements change” (TechTarget, n.d.). This means that the data security policy can be updated to factor in data theft from new employees as well as employees who are leaving the company or organization.
When dealing with new employees that data security policy would be updated to factor in a higher risk factor for the first six months of employment. This would mean that all new employees would be on a type of probation for the first six months where they would be monitored more closely than other employees. For the first six months the employees would also not be allowed to bring work materials home or burn any sort of data to a disk, flash drive, or any other type of storage without direct authorization from a human resources professional. After the six month period had passed each employees risk level would be reevaluated to determine if the employee’s extra monitoring could be stopped or if it was still needed due to an elevated risk level. All employment contracts would be written to include the fact that all employees agree to allow the employer to observe and monitor their data usage while at work; the contract would clearly outline the fact that employees could be fired for insider trading, industrial espionage, and/or sharing of confidential information.
Employees that had given their noticed, were being laid off, or fired, would present an increased risk level for data theft based off of their reason for leaving and where they were going. For instance, a pregnant woman or mother/father who was leaving to become a stay at home parent would not present as high a risk level as an employee that was leaving for a position at a rival company. Based on the risk level of the employee different security policies would need to be implemented to protect the company from data theft. In the same way that new employees receive an increased level of security monitoring during their first six months of employment so would the employees that were leaving for the remainder of their employment. This would mean that they would be unable to copy data or bring home documents without authorization and their computers would have an extra daily security sweep to look for viruses, computer tampering, and/or deletion of important data. If the employee did any of these actions without authorization, a full investigation would be performed with possible legal action depending on the findings of the investigation.
Mathis, R. L., Jackson, J. H., & Valentine, S. (2014). Human resource management (14th ed.).
Singapore: Cengage Learning Editores.
Techopedia. (n.d.). Information Security Policy. Retrieved from
TechTarget. (n.d.). Security Policy. Retrieved from