ERM Practical Connection Activity

Effectiveness of ISM Framework

Jira uses the cross-functional approach to governing data privacy. That is, the privacy governance is applied across the organization to include the data of both the customers, vendors and employees. The company has a defined structure whereby the legal team consists of a senior director who is the head of Privacy and Law Enforcement compliance and directly reports to the General Counsel (Culot, et al., 2021). The organization also has a privacy Engineering Team that collaborates with the Legal Team and the product counsel in designing products from the start-up to finish to protect customer privacy and ensure that the data is protected and remains in control of the company at all times. This involves a strong process that ensures that data collected is used as intended and as required by law. The company also has a privacy steering committee that is tasked with setting the privacy standards for the Jira team and it also addresses privacy compliance problems for decisions. Furthermore, the audit and finance committee of the Board of Directors plays an important role in doing the oversight work and monitoring privacy and data security (Al-Ahmad & Mohammad, 2013).

Notably, the company policy requires all the employees to undergo annual training on Business Conduct to remind and emphasize their commitment to respect of human rights and maintaining ethical business practices characterized by honesty and compliance with the laws and regulations. Jira considers privacy training as a critical element of the Business Conduct Training. It is essential for every employee with access to customer data and personal information to have an additional privacy training course on the subject on a bi-annual basis to remain updated on the laws concerning the EU General Data Protection Regulation (Goddard, 2017). Furthermore, there is other training provided to employees who are in charge of handling large amounts of sensitive data. The organization undergoes a Privacy Impact Assessment annually for its major products and services which are integrated into the new products (Steglich et al., 2020). As an international company, Jira goes a step further to engage with different civil society representatives from around the world to address the issues related to data privacy by designing and encryption.

Jira ISO 27001 Framework

The services that are covered by ISO 27001 consist of the Jira Business Chat, Cloud storage, managed Jira IDs, Jira school manager, and the Jira Push Notifications services. The company has remained committed to human rights and is guided by the Human Rights Policy which outlines how company should treat customers, employees, and business partners at all levels of the supply chain that is aided by ISO 27001 framework (Al-Ahmad & Mohammad, 2013). The company makes products adhering to the principle of privacy by default and it only collects the required data necessary to provide to the users of its services and products. When data is collected by the company, it is retained only to fulfill the objective for which it was collected and that includes describing the privacy policy as necessitated by the law. Besides, Jira had deployed the mechanism where the customers are allowed to choose what they would like to share like Jira Music with other apps.

Frameworks Based on Research to address the risks

Another framework that would be suggested is Control Objectives for Information and

Related Technology (COBIT). The COBIT framework has been used to facilitate needed alignment between the business and the information technology employed to enhance the operations of organizations. It provides the IT governance framework necessary to govern how a company employs resources to safeguard information. It will ensure that the company will have the organization structure to create IT policies and procedures and inform on the company's management of compliance (Al-Ahmad & Mohammad, 2013). COBIT can be used to standardize the cyber activities undertaken by a company, ensuring that the company can use technology effectively in meeting demands without having data compromised within the systems company have employed to execute the functions.

The data security and incident response framework have been strictly enforced to safeguard the customer’s privacy. This implies that the company employs access management and the access control appropriate with risk to data in ensuring accessibility of data conforms to the needs of the business. The Jira platform security is essential for giving more details to the designer of operating systems. This is similar with Apple security which comprises of the iOS, iPadOS, macOS, and watchOS that protects the security of the customers (Novac et al., 2017). For instance, when the organization realizes a problem with data security that may affect the customer’s data and information, it deploys a dedicated team to investigate the issue and apply the necessary steps. If there is a breach in data, one of the steps taken is to update the software immediately. Therefore, Jira is aware of such problems and it ensures that it follows the rule of law where applicable without undue delay.

For privacy policy updates, the company post updates on its web page in advance to advise the user on the expected changes. Jira does not share its user information with third parties where the information is requested with no legal basis this is because of the company's commitment to transparency on private requests for user information (Lopes et al., 2019). For the de-identification of the personal data, company removes all the elements and identifiers associated with personal data. However, adherence to the company de-identification is subjected to review under the privacy compliance audit and the verification team.

Conclusion and Recommendation

Overall, information security management is considered as the set of policies with management and information and communication technology risks. Adoption of an IT Standards framework will ensure that the data at the disposal of an organization are used effectively. Therefore, Jira has successfully implemented ISO 27001 to comprehensively address information security problems. Jira Software uses the certification of ISO 27001 standards to assure they address all the security obligations of their customers. The management team ensures there is total commitment and adequate resources distributed to ensure information security management systems (ISMS) are developed to reduce the risk of the organization employees, partners, and other stakeholders. An effective ISMS ensures that an organization has a framework to identify a problem and protect its information from being handled by unauthorized people who may compromise the data. Furthermore, Jira should continue to review how to enhance its approach to information security which will ensure an effective response to the ever-evolving business environment and the threats the company might face. Hence recommendations to the organization should seek to introduce a consistent approach to security training that will put all members on the same page to understand their responsibilities. They should also conduct a risk assessment to ensure all the treatment plans have been established and achieved the organization threshold. Also, Jira should review the bi-annual assessment to ensure they achieve the effectiveness of the information security management system and ensuring resources have been committed for full operation and improvement of the management system.

References

Al-Ahmad, W., & Mohammad, B. (2013). Addressing information security risks by adopting standards. International Journal of Information Security Science, 2(2), 28-43.