Describe internal and external threats, to data and information, in an organisation.

(P6)
Internal
An internal threat is the possibility that an individual working for a corporation might
take advantage of a vulnerability in a system to either steal data or do harm.
Consider a worker attempting to obtain illegal access to contributors' financial and
personal data.

To mitigate this risk, the charity shall implement a

range of strategies listed below.
 Educate all staff members about phishing, pharming, blagging, and other online
frauds, which are commonly used.
 providing security training to staff
 By confirming an employee’s identity through multi-factor authentication,
access to various applications can be securely authorized.
 Establish a whistle-blower, as this will help notify higher authority about immoral
or unlawful activity
 Persistent posting and reminders of staying aware of attacks and being careful
 Maintain good relations with employees and other stakeholders in order to
prevent any insider threats due to conflicts.

 Identifying unusual login patterns or failed login attempts

 establishing a digital trail to monitor which data files were viewed and to trace
the point of access where a system or asset was compromised.

These polices overall stop employees from making themselves vulnerable to such
attacks and bringing threats into the charity unknowingly. Research also indicates
that phishing is responsible for 80% of recorded incidents, making it the most
common cause of data breaches. Therefore, our main responsibility moving forward
should be to provide huggson charity with training which educate all staff members
about phishing.
Some employees, on the other hand, do not actively seek to participate in the internal
risk. They may be at risk due to various reasons, such as insufficient training on
safety protocols or how to ensure their own safety.
Additionally, some workers may unintentionally damage their devices by leaving them
unattended or spilling coffee, beverages, or other liquids on them. This can lead to
more interruptions or loss of data, making it inefficient for the organization to transfer
information across different IT platforms.
External
There are several types of external security risks that come from outside the walls of
the firm and are started by individuals who are not connected to the company.
Individuals may also be the target of external dangers.
Shouldering serves as an example of such risks. Shouldering refers to the act of
obtaining personal information by physically inspecting the device's screen and
keyboard.
This type of threat can be seen from unfamiliar individuals. Similarly, shouldering for
example can occur when an employee is buying cleaning supplies or other items for
the charity from a store and they pay by entering the credit card pin or charity
financial details this means they must be careful when handling sensitive data in
public as they can be open to shouldering.
However below are some precautions and policies that we will encourage within
huggson charity to implement in order to maximise best security:

How the charity can stay aware and prevent

outsider or external threats:
 Expire credentials of employees or stakeholders that have left the charity in order to be
protected from external threats.
 Block spam, phishing scams, and harmful attachments from outside sources by utilizing
email filtering systems.
 Create and maintain an incident response strategy that specifies what should be done in the
case of a cybersecurity occurrence.
 securing Wi-Fi networks to prevent access by non-charity users. Wi-Fi is susceptible to attack if it
is not secured.

 Turn on a MAC address sequentially. Every network device has a unique MAC address,
which helps network administrators monitor and control devices on the network and
keeps unauthorized devices out of the network.
 When transferring data and communicating online, especially when gaining remote
access to an organization's network, use virtual private networks, or VPNs.
 Seek advice and collaboration with cybersecurity experts or consulting firms about any
outsider threats to be wary of.
 Ensure to consult cybersecurity specialists or consulting organizations for guidance and
assistance regarding potential outside dangers.
[P6]
Describe procedures to be implemented in an organisation to allow them
to protect data and information. (P7)
Phishing attacks and how they can be prevented:
Phishing attacks are one of the most common kind of cyberattacks that happen all
around the world, and they may affect even nonprofit organizations.
 Phishing entails sending or transferring money through fraudulent requests. In
order to combat this, our team will train staff members on how to perform in-
depth background checks on dubious websites. This will entail asking other
employees and staff members to confirm whether the charity is in debt or has
not received payment.
 Make sure staff members carefully review any unusual file attachments to
ascertain if they were asked for or expected; otherwise, there may be a risk of
viruses or other malicious software being introduced, endangering the
protection of personal and charitable data.
 Train staff members on how to recognize phishing attempts based on spelling
and grammar. Reputable, well-established organizations usually use formal,
business language since they have the power and knowledge to correct typos
and ensure writing correctness.
 To make sure they understand the repercussions of their conduct and are not
tricked by phony websites, employees will get in-depth instruction on rules and
regulations. Threat identification strategies will be covered in this training.

Biometrics and its benefits

Promoting biometric usage is a smart approach to raise awareness of data security.
This tactic may be used for many charitable events. A quantifiable physical attribute
or individual behavioral feature that is utilized to identify or validate an applicant's
stated identification. Biometrics include fingerprints, iris scan samples, and facial
photographs.
The capacity of biometric technology to stop shoulder surfing is one of its advantages.
Biometrics can precisely identify people by using behavioural or physical traits like
voice, face features, or fingerprints. Many gadgets, such as laptops, tablets, and
smartphones, have biometric sensors built in that let users access their devices or
accounts by just scanning their fingerprints.
 By doing away with the requirement to input PINs or passwords, this lowers the
possibility of shoulder surfing.
 introducing biometric verification for staff members gaining access to private or
sensitive data may significantly improve business security.
 There is less likelihood of unauthorized parties accessing private information
because each person's biometric data is distinct and only they can access it. For
 example, it is not possible for two employees to have precisely the same
fingerprint, which lowers the possibility of password breach.
 since employees no longer have to waste time changing passwords, investing in
biometrics increases efficiency and saves time.
However, It’s crucial to recognize that putting our biometric technologies into
practice may be an expensive endeavour. Consequently, the organization should
think about progressively investing funding towards biometrics as it grows.

How to ensure data and information is handled carefully

around employees:
Maintenance and employee relations are important factors to take into account while making
sure the charity is safe. These factors have the ability to result in security problems. For
example, if a worker leaves the charity under unfavorable conditions, they can try to reveal or
misuse private information. A departing employee's motives might not always be good, even
if they part ways amicably.
We shall limit the amount of staff members who have access to sensitive data in order to
solve this by implementing access controls. By guaranteeing that staff members only have
access to the information required for their jobs, this approach would improve security.
Role-based access controls can help us reduce the likelihood that employees will reveal or
misuse personal information. These security measures preserve the confidence of the
charity's stakeholders, donors, and beneficiaries in addition to protecting sensitive data that
belongs to the organization.

We ensure the cyber -safety and security of our

stakeholders by encouraging further policies below:
 Never give out personal information, such as name, address, photo, or other
information online, including username and password

 Provide supervision, direction and training in activities which require the Internet.

 Employees and stakeholders must use extreme caution when opening e-mail
attachments received from unknown senders which may contain malware.
 Revealing your account password to others or allowing use of your account by
others. This includes family and other household members when work is being
done at home.

 You must not post personal, sensitive, confidential, or classified information or

disseminate such information in any way that may compromise its intended use
or audience.

 Never reply to abusive e-mails.

 Never reply to someone you do not know.

[p7]
Describe procedures to be implemented in an organisation to allow them to operate
in legal, moral, and ethical ways. (P8)
There are several methods in which the charity might promote the use of operating
lawfully.
Since they shield a variety of data—including donor bank account information—from
abuse or public publication, privacy regulations constitute a significant body of law.
Our staff will adhere to this regulation, and we guarantee the protection of donor
financial information by utilizing security methods like biometrics and authentication.
In accordance with applicable regulations, we will also contribute to securing the
licenses and permissions needed for rescue, shelter, or adoption activities and
ensuring that they are up to date and not expired. The charity should consider
routinely consulting with legal experts to stay abreast of regulatory developments and
to immediately manage any legal concerns.
Stated below are our overall legal policies and we expect compliance from
all employees and other stakeholders:
 No attempting to access confidential information (Unauthorized access)
 New software should be consulted with professionals before being downloaded.
 Comply to laws protecting consumers from unfair or deceptive practices.
 Stakeholders must comply with our health and safety regulations as failure to do so
may result in harm and financial penalties.
 Information remains confidential such as financial information and other donor records,
failure to do so will result in fines and penalties.
 No fraudulent offers of products, items, or services must be permitted by the charity.
 All computing devices must be secured with a password-protected screensaver with the
automatic activation feature set to 30 minutes or less. You must lock the screen or log
off when the device is unattended.
 Accessing illegal websites or online illegal activity is unacceptable and illegal.
 The nonprofit will teach and educate staff members and other interested parties on
legal compliance. Because they raise employee awareness and provide instruction,
these training sessions may ensure compliance with legal processes by making
employees aware of the serious repercussions of engaging in illicit action inside the
company.

Consequences and what can be done if the policy is not

complied with:
 First, make sure you have all the pertinent details on the event or circumstance.
Obtaining documents, testimony, or any other accessible proof may be
necessary for this.
  Next, based on the specific details of the case, examine legal resources such as
statutes, regulations, and precedent to determine if any laws have been
violated.

 Finally, inform higher authorities or organizations about the breach and take
appropriate action, such as terminating or dismissing any employees or
stakeholders implicated in the breach.

OUR Important policies that will enable the charity to

operate morally and ethically:
Ethical
in terms of morality. The charity should start by creating its list of ethical policies. One
of the first things we tell Hughson to think about when he is creating an ethical policy
for the charity is the standards he wants to set for the organization.
Huggson could have goals pertaining to openness, privacy, and security. Hughson will
be responsible for guaranteeing that the information the charity collects is
transparent. This may include informing interested parties about the information the
charity will collect and how it will be used.
Clear consent processes and privacy regulations should be in place to inform
stakeholders and give them control over their information. Transparency generally
fosters trust and is consistent with moral values.
The second most important ethical rule is the security and privacy policy. We shall
guarantee the security of stakeholder documents by regular safety checks, defensive
technology like firewalls and biometrics, among others. We can ensure that user
information is kept confidential, and that the charity stays ahead of any threats by
taking this action.
Moral
It is anticipated that the charity maintains a variety of principles when acting morally.
One of the fundamental principles is privacy, which means upholding stakeholders'
confidentiality in order to build credibility. This exemplifies the moral precepts of trust
and honesty.
Another important concept is fairness, which states that when using the IT
infrastructure, all parties involved in the charity should be treated equally and have
similar possibilities. An example of an unfair conduct by a team member includes
participating in unethical behaviour, such as giving one employee a laptop with plenty
of software and security features while giving another employee a laptop with less
software and no security measures. As a result, it is crucial to guarantee that each
and every stakeholder receives equal treatment without bias. Failing to do so might
damage the charity's reputation in addition to demotivating a sizable portion of the
workforce.
Openness is the third fundamental principle. Workers need to show that they are
dedicated to being open and truthful. The charity will gain deeper relationships, more
accountability, and better decision-making by doing this. This also lessens the
possibility that the charity will fail or impede its expansion because employees and
stakeholders are more likely to have real conversations and exchange creative ideas.
Employees may seek to harm the charity by trying to obtain illegal access to donors'
financial information and other private data if they are discouraged from voicing their
ideas or feel unappreciated.

Stated below are our overall moral and ethical policies and we
expect compliance from all employees and other stakeholders:
 All activities and events that kodeys charity undertakes in does not cause
environmental damage.
 All of the charity’s products are eco-friendly and do not harm the environment.
 Conflict of interest policy – employees must not let self-interests harm or collide with
professional interests, duties, or responsibilities.
 Ensure transparency and fairness in relationships with other charity members and
stakeholders.
 Employees and stakeholders must be completely honest, diverse and show integrity.
 All stakeholders have the responsibility to promptly report the theft, loss or
unauthorized disclosure.
 No form of harassment is permitted, this includes on online platforms and face to face.
 Whistle-blower protection (We ensure a safe environment is provided for employees
who report unethical behaviour)
 We expect loyalty – Workers must speak positively about the charity in public and only
address personnel or corporate issues in private.

Consequences and what can be done if the policy is not

complied with:
 It is crucial to approach an immoral/unethical action with an open mind and a sincere
desire to comprehend the motivations behind it in order to address it successfully. This
establishes a secure environment where the staff member or stakeholder may express
their viewpoint without worrying about criticism or reprisals.
 Start by speaking with the employee and letting them know that you are concerned
about their request or behaviour. Make it plain that your goal is to learn more about
their mental process rather than to immediately terminate them or take any further
action.
 Let them completely express their viewpoint by encouraging them to provide an
explanation for their actions. After you have understood the reasoning for the unethical
activity, it is imperative that you take the necessary action to resolve the matter. This
might entail taking disciplinary action, providing further training, or putting policies in
place to stop similar instances from happening in the future, depending on how serious
the scenario was.
Why the overall compliance to ethical, legal, and moral
measures is important.
All things considered, we guarantee that the charity will aggressively encourage
constant contact with both internal and external stakeholders to guarantee the
observance and execution of moral, ethical, and legal procedures. An excellent
illustration of this dedication is a whistleblower.
We will make sure that this individual ensures that all procedures are followed and
promptly reports any unlawful, immoral, or unethical actions to higher authorities on
behalf of the organization. We will also assure that we implement maintaining regular
contact with law enforcement and other stakeholders is of utmost importance to
guarantee that the nonprofit organization complies with regulations and adapts to any
changes or revisions in legislation.
Lastly, Hughson must make it a priority to keep stakeholders and staff members well-
informed about the rules and compliances that the charity expects on an ongoing
basis, this can also be done through our charity app for internals (LAYOUT IN FINAL
PAGE)

Different approaches will also be employed to address legal and ethical issues,
depending on their specific nature. The necessary actions to rectify such issues will
vary accordingly. This includes providing additional or advanced training, offering
apologies to clients, family members, or caregivers, and implementing other
disciplinary measures. [p8]

APP LAYOUT (FOR INTERNAL MEMBERS ONLY etc - employees, manager,

huggson)
REFERNCES:
 Pathlock. (n.d.). 16 Ways to Prevent Insider Threats and Detect When They Occur.
[online] Available at: https://pathlock.com/learn/16-ways-to-prevent-insider-threats-
and-detect-when-they-occur/

 phanivedala (2023). Multi-Factor Authentication (MFA): Strengthening Your Online

Security. [online] Learning Center. Available at: https://www.extnoc.com/learn/security/multi-
factor-authentication#:~:text=Multi%2Dfactor%20authentication%20is%20a,unauthorized%20access%20and
%20identity%20theft

 Innovatrics. (n.d.). Biometric Verification - Definition, FAQs. [online] Available at:

https://www.innovatrics.com/glossary/biometric-verification/

 CybSafe (2023). Train smart, not hard! The intelligent approach to phishing training.
[online] CybSafe. Available at: https://www.cybsafe.com/blog/phishing-training-an-
intelligent-approach/#:~:text=Phishing%20attacks%20are%20the%20most.

 www.beyondidentity.com. (n.d.). What is Shoulder Surfing? | Beyond Identity. [online]

Available at: https://www.beyondidentity.com/glossary/shoulder-surfing#:~:text=How
%20a%20Shoulder%20Surfing%20Attack

 www.knowledgehut.com. (n.d.). What is Shoulder Surfing & How to Prevent It? [online]
Available at: https://www.knowledgehut.com/blog/security/shoulder-surfing
 www.indeed.com. (n.d.). Ethics Policies for Your Business: Do’s and Don’ts. [online]
Available at: https://www.indeed.com/hire/c/info/ethics-policies-for-your-business?
hl=en&co=US

 www.indeed.com. (n.d.). 21 Core Company Values to Consider for Your Business (With
Examples). [online] Available at: https://www.indeed.com/hire/c/info/company-values

 ‌ tilities One. (n.d.). Ethical Guidelines for Communication Infrastructure Providers in

U
Social Media Integration. [online] Available at: https://utilitiesone.com/ethical-
guidelines-for-communication-infrastructure-providers-in-social-media-
integration#:~:text=Ethical%20Considerations%3A%20Striving%20for
%20Fairness&text=Clear%20privacy%20policies%20and%20consent

 I‌ndeed Editorial Team (2023). Business Ethics: Types and Examples. [online] Indeed
Career Guide. Available at: https://www.indeed.com/career-advice/career-
development/business-ethics

 Indeed Editorial Team (2023). Business Ethics: Types and Examples. [online] Indeed
Career Guide. Available at: https://www.indeed.com/career-advice/career-
development/business-ethics

 Volkov, M. (2021). Why Ethics and Compliance is Everyone’s Responsibility. [online] GAN
Integrity. Available at: https://www.ganintegrity.com/blog/why-ethics-and-compliance-
is-everyones-responsibility/.

 ‌ ww.powerdms.com. (n.d.). Role of Ethics and Compliance in Corporate Culture. [online]

w
Available at: https://www.powerdms.com/policy-learning-center/role-of-ethics-and-
compliance-in-corporate-culture.

 Information Technology. (n.d.). IT Acceptable Use Policy. [online] Available at:

https://www.nicholls.edu/information-tech/policyandprocedure/acceptable-use-policy/

 ‌ antelakis, A. (2023). Acceptable use policy template. [online] Recruiting Resources: How
P
to Recruit and Hire Better. Available at: https://resources.workable.com/acceptable-use-
policy-template

 Board of Regents. (2014). Acceptable Use of Information Technology Resources. [online]

Available at: https://www.wisconsin.edu/regents/policies/acceptable-use-of-
information-technology-resources/.
  ‌ ww.sec.gov. (n.d.). Code of Business Conduct and Ethics. [online] Available at:
w
https://www.sec.gov/Achives/egar/data/1297401/000119312511045757/dex14.htm#:~
:text=A%20failure%20by%20any%20employee

 www.easyllama.com. (n.d.). A Checklist to Ensure Code of Conduct Compliance in Your

Company. [online] Available at: https://www.easyllama.com/blog/code-of-conduct-
compliance/.

 ‌ ode of Business Conduct Integrity | Honesty | Fairness. (n.d.). Available at:

C
https://www.wipro.com/content/dam/nexus/en/investor/corporate-governance/
policies-and-guidelines/ethical-guidelines/code-of-business-conduct-and-ethics.pdf.

 ‌ apadopoulou, E. (2022). How can non-compliance affect your business? – Polonious.

P
[online] Available at: https://www.polonious-systems.com/can-non-compliance-affect-
your-business/.

 L‌ uca, R. de (n.d.). 4 Steps to Ensure Employees Follow Procedures - BambooHR Blog.

[online] www.bamboohr.com. Available at:
https://www.bamboohr.com/blog/procedures-employees

 Chin, K. (2023). How To Detect and Prevent Insider Threats | UpGuard. [online]
www.upguard.com. Available at: https://www.upguard.com/blog/how-to-detect-and-
prevent-insider-threats.