BUS369e: Star Training and Education Centre (STEC) was a Company that Provided Training and Education Courses for Adults: Managing Information Security and Privacy Assignment, SUSS, Singapore

Star Training and Education Centre (A)
Star Training and Education Centre (STEC) was a company that provided training and education courses for adults. STEC conducted many courses at various locations and its courses were popular among working adults. STEC had a team of administrative officers who assisted in marketing and operations, such as course registration. STEC also had a team of staff who
attended to inquiries received through the hotline.

Recently, the STEC hotline received a complaint from one of the course participants, Jane. Jane had realized that her personal data, including her full name, identification number, contact number, and email address, could be retrieved through a search on the Internet. She believed that STEC was responsible for the data breach, as her personal data was listed in a spreadsheet that contained data from other participants of a STEC course that she recently attended.

The entire spreadsheet could be downloaded from the Internet.
After the hotline staff received the complaint from Jane, they had no idea how they should manage the complaint. They checked with various administrative officers but the administrative team had never encountered this before. After a few days, Jane called the STEC hotline again to complain that her personal data was still available on the Internet. Finally, the administrative staff decided that the IT department should look into this matter.

However, the IT department did not think that it was their responsibility. The IT manager explained to the administrative staff that the IT department was only in charge of the IT infrastructure and the learning management system used by STEC courses, but not incidents pertaining to personal data. The IT staff did not know how they should investigate the cause of the data breach or
how they could remove the spreadsheet from the Internet. As Jane did not receive a satisfactory response from STEC, she decided to report the matter to the local news agency.

STEC senior management only learned about this incident after they
were contacted by the news agency. The management was unhappy as they were not informed by their staff in a timely manner, and their staff did not know how to resolve the incident. As STEC did not have the expertise to resolve this problem, the management decided to engage
external expertise to investigate the incident.

Question 1 
(a) Explain the importance of information security, using this case as an example. Support your answer by listing at least five (5) possible examples of information assets belonging to STEC.

(b) Describe the three (3) critical characteristics of information that forms the C.I.A. triad. Discuss if each characteristic was affected in this incident and explain your reasons.

(c) Analyse the weaknesses in STEC’s response and propose measures that STEC can consider to improve their readiness to address similar incidents in the future. Your answer should apply concepts that you learned in this course.