--:-- --
↓ Scroll for more

Unit 5: Database Management System

Data Security and Ethical Considerations

ICT 110: IT for Business

Learning Objectives

By the end of this lecture, you will be able to:
  • ✅ Analyze the core principles of data security (the CIA Triad) within a business context.
  • ✅ Identify common data security threats and their impact on various business functions like Finance, HR, and Operations.
  • ✅ Evaluate the business implications of data privacy regulations and ethical data handling.
  • ✅ Apply ethical frameworks to real-world business scenarios involving data.

Why Does This Matter for Business?

Data security isn't just an IT problem; it's a fundamental business risk.

Protecting Core Assets 💼

  • Finance: Preventing fraud and protecting sensitive financial records.
  • Operations: Safeguarding intellectual property (e.g., product designs, formulas).
  • HR: Securing confidential employee and payroll data.

Maintaining Trust & Reputation 🤝

  • A single data breach can destroy years of customer loyalty.
  • Ethical data handling is a competitive advantage.
  • Ensures business continuity and avoids costly downtime.

The Foundation: The CIA Triad

A model for guiding information security policies within an organization.

Confidentiality 🤫

Ensuring data is accessible only to authorized individuals.

Example: Only HR managers and senior executives can view employee salary information.

Integrity 📝

Maintaining the accuracy and consistency of data over its entire lifecycle.

Example: A financial transaction in the accounting system cannot be altered without a proper audit trail.

Availability ⚡

Ensuring data is accessible and usable when needed by authorized users.

Example: The inventory management system for the Operations team must be online 24/7 during peak season.

Common Security Threats to Business

Threat Type

  • Phishing & Social Engineering
    Tricking employees into revealing sensitive info.
  • Ransomware
    Encrypting company data and demanding payment.
  • Insider Threats
    Current or former employees misusing their authorized access.
  • Weak Passwords
    Easy-to-guess credentials leading to unauthorized access.

Primary Business Function Impacted

  • 🎯 Finance: Attackers gain access to company bank accounts.
  • ⚙️ Operations: Production line or supply chain systems are shut down.
  • 👥 Human Resources: A disgruntled employee leaks confidential employee records.
  • 📊 All Functions: Unauthorized access to strategic plans, customer lists, or financial reports.

Key Security Measures

How businesses defend themselves:

  • 🔑 Access Control: Limiting access to information systems to authorized users. This is based on the principle of "least privilege".
  • 🔒 Encryption: Converting data into a code to prevent unauthorized access, both in transit (e.g., on the internet) and at rest (e.g., on a hard drive).
  • 🔄 Data Backups & Recovery: Regularly creating copies of data to ensure it can be restored in case of data loss or a ransomware attack.
Example: Role-Based Access Control
An Accountant can view and edit financial ledgers but can only view employee names. An HR Manager can view and edit employee records but can only view departmental budgets.

Transition: From Security to Privacy

Data Security is about protecting data from unauthorized access.

Data Privacy is about who has that authorized access and how they are permitted to collect, use, and share the data.

You can have security without privacy, but you cannot have privacy without security.

Understanding Data Privacy

Personally Identifiable Information (PII) is any data that could be used to identify a specific individual.

Examples of PII in different business functions:

Human Resources 👥

  • Citizenship Number
  • Home Address
  • Bank Account Details
  • Performance Reviews

Marketing 🎯

  • Customer Name
  • Email Address
  • Purchase History
  • IP Address

Finance 💰

  • Credit Card Numbers
  • Loan Application Data
  • PAN Number
  • Investment Details

Legal vs. Ethical: A Crucial Distinction

Just because you can do something with data, doesn't mean you should.

Legal ✅

Following the letter of the law and regulations (e.g., Nepal's Privacy Act, GDPR).

Scenario: A company's privacy policy, buried in 20 pages of text, allows them to sell customer browsing data to third parties. This is likely legal.

Ethical 🤔

Adhering to moral principles and values. Being transparent and fair with data subjects.

Scenario: Is it ethical to sell that data without making it explicitly clear to customers in simple terms? Doing so could erode trust and be seen as exploitative.

An Ethical Framework for Business Data

Consider the "PAPA" framework when making data-driven decisions:

  • Privacy: What information must people reveal about themselves?
  • Accuracy: Who is responsible for the authenticity and fidelity of information?
  • Property: Who owns the information and how can it be transferred?
  • Accessibility: Who has a right to access this information?
Finance Scenario 🔍
A bank uses an AI algorithm to approve loans. The AI learns from historical data and starts denying loans to qualified applicants from a specific neighborhood.
Question: Which PAPA principles are at risk here? (Primarily Accuracy and Accessibility).

Responsibility Across the Business

Data governance is a team sport. Every department has a role.

Finance & Accounting 💰

  • Ensuring integrity of financial reports.
  • Implementing controls to prevent fraud.
  • Complying with financial data regulations.

Human Resources 👥

  • Protecting sensitive employee PII.
  • Ensuring fairness in AI-based recruiting tools.
  • Managing access to employee data on a need-to-know basis.

Operations & Supply Chain ⚙️

  • Securing supplier and partner data.
  • Protecting proprietary manufacturing processes.
  • Ensuring availability of logistics systems.

Marketing & Sales 🎯

  • Being transparent about data collection.
  • Respecting customer consent and preferences.
  • Securing the Customer Relationship Management (CRM) database.

Practical Application in Nepal 🇳🇵

How local companies handle data security and ethics:

eSewa (FinTech)

Focus: Confidentiality & Integrity

Security is their business model. They must protect user transaction data, KYC details, and bank links to comply with Nepal Rastra Bank directives and maintain user trust.

Daraz (E-commerce)

Focus: Privacy & Availability

Must secure millions of customer records (PII), payment details, and purchase histories. Ethical use of data for recommendations is key. Website availability is critical for sales (Operations).

CG Foods (Manufacturing)

Focus: Integrity & Property

Protecting intellectual property like the Wai Wai noodle formula is a top priority. They also secure sensitive data about their vast distribution network (Operations/Supply Chain).

Discussion: A Mini Case Study

The Scenario

A junior marketing analyst at a large retail company wants to run a promotion for new parents. He asks a friend in the HR department for a list of all employees who have taken paternity or maternity leave in the last year.


Discussion Points:

  1. What are the immediate security risks here? (Insider threat, unauthorized access).
  2. What are the ethical problems? (Misuse of data collected for one purpose - HR - for another - Marketing).
  3. As a manager, how would you respond to this situation to educate both employees?

Key Takeaways

What you should remember from today's lecture:
  • 1️⃣ Data security is a business-wide responsibility, impacting every function from Finance to HR to Operations.
  • 2️⃣ The CIA Triad (Confidentiality, Integrity, Availability) provides a simple but powerful framework for security policy.
  • 3️⃣ Being ethical with data goes beyond just following the law; it's about building trust and creating long-term value.
  • 4️⃣ Every business decision involving data has potential security and ethical implications that must be considered.

Thank You

Any Questions?

Next Topic: Basics of Data Analysis with Spreadsheets and Power BI


Back to Start