Cybersecurity Management and Data Protection Standards

Posted on May 22, 2026 in Business Administration and Innovation Management

Employee Lifecycle Security Phases

  • Recruitment: The organization checks the applicant’s qualifications, references, and background before hiring. The security concern is reducing insider threats and hiring trustworthy employees.
  • Onboarding: The employee is officially added to company systems such as payroll and benefits. The security concern is making sure organizational policies and agreements are properly completed.
  • User Provisioning: The employee receives accounts, devices, badges, and system access permissions. The security concern is giving only the required access and following the principle of least privilege.
  • Orientation: The employee learns about the company, coworkers, job responsibilities, and security policies. Security awareness and training are important to reduce human errors and unsafe behavior.
  • Career Development: The employee grows within the organization and may receive new responsibilities or access rights. The security concern is regularly reviewing permissions and ensuring continued compliance with policies.
  • Termination: When the employee leaves the organization, all accounts, devices, badges, and access rights must be removed immediately. The security concern is preventing unauthorized access, data theft, or sabotage after leaving.

Data-Handling Standards Comparison

Protected data requires the highest level of security with strict access control, encrypted storage and transmission, and secure disposal. Confidential data requires restricted access and secure handling procedures. Internal data is used within the organization and protected using standard internal security controls. Data-handling standards differ based on access control, storage, transmission, and disposal requirements.

Key Cybersecurity Terminology

  • Multilayer Security: Multilayer security means using more than one security measure to protect systems and data. If one layer is bypassed, the other layers still help protect the organization.
  • Standard Operating Procedures (SOPs): Standard operating procedures are clear step-by-step instructions that explain how tasks should be done. They help employees perform security tasks correctly and consistently.
  • Reclassification Process: Reclassification is changing the classification level of information when its importance or sensitivity changes. Data can be upgraded or downgraded depending on the situation.
  • Multifactor Authentication (MFA): Multifactor authentication requires a user to verify their identity using two or more methods, such as a password and a fingerprint. This provides stronger security than using only a password.
  • Data Replication: Data replication means creating copies of data and storing them in different locations or systems. This helps improve availability and recovery if data is lost or damaged.

Evolution of Hacking Phases

  • Phase 1: In the first phase, hacking had a positive meaning and was connected to the joy of programming. Hackers were creative programmers who wrote clever and innovative programs.
  • Phase 2: In the second phase, hacking became associated with breaking into systems without authorization. Criminals began using hacking for illegal activities such as stealing information and attacking organizations.
  • Phase 3: In the third phase, hacking became more advanced with the growth of the internet and mobile devices. Attacks became organized and included threats such as phishing, botnets, malware, and denial-of-service attacks.

The CIA Triad Principles

  • Confidentiality: Confidentiality means protecting information from unauthorized access or disclosure. Only authorized people should be able to view sensitive information.
  • Integrity: Integrity means ensuring that information remains accurate and is not changed without authorization. Data should only be modified by authorized users in an approved way.
  • Availability: Availability means ensuring that systems and data are accessible to authorized users whenever needed. Information and services should remain available and reliable.

Access Control Models and Concepts

  • Authorization: Authorization is the process of giving authenticated users permission to perform specific actions or access certain resources. The authorization model defines how these permissions are assigned and controlled.
  • Mandatory Access Control (MAC): MAC is an access control model where permissions are defined by organizational policy and cannot be changed by users or owners. Access is based on security labels, classifications, and clearance levels.
  • Discretionary Access Control (DAC): DAC is an access control model where the owner of the resource decides who can access it. The owner uses access control lists (ACLs) to allow or deny access to specific users.
  • Role-Based Access Control (RBAC): RBAC gives users permissions based on their job role or function within the organization. Administrators assign permissions to roles instead of assigning permissions to each individual user.

Private Sector Data Classification Levels

  • Protected: Data protected by law, regulation, contracts, or management discretion. Unauthorized disclosure could cause serious harm. Examples include Social Security numbers and other non-public personal information.
  • Confidential: Data that is important to the organization’s operations. Loss or unauthorized disclosure could cause financial, legal, or reputational damage. Examples include business strategies and employee records.
  • Internal Use: Data used for normal company operations. Unauthorized disclosure may negatively affect the business. Examples include policy documents and procedure manuals.
  • Public: Information intended for public access and distribution. Examples include annual reports and product documentation.

Systems Development Life Cycle (SDLC) Phases

  • Initiation Phase: The organization identifies the need for a system and defines its purpose. During this phase, the information is evaluated for confidentiality, integrity, and availability (CIA) requirements, and security roles and responsibilities are assigned.
  • Development/Acquisition Phase: The system is designed, developed, or purchased. Security requirements are analyzed, risk assessments are performed, and security controls and testing become part of the project plan.
  • Implementation Phase: The system is installed, configured, and tested before being placed into operation. Security features are enabled and tested, and the system must receive authorization or certification before use.
  • Operational/Maintenance Phase: The system is actively used and maintained. The organization continuously monitors system performance and regularly tests security controls to ensure continued effectiveness.
  • Disposal Phase: The system or its components are retired or replaced. Information must be archived properly, media sanitized, and hardware disposed of according to organizational security policies.