After last week’s discussion on “what gaps should actually be regulated by regulators?”, this week, I’m diving into various existing technology recommendations based on research that has explored them.

First up: ISO 27001

ISO 27001 seems to be super well-known worldwide in the realm of security technology (forgive me, guys, I just found out about this ISO thanks to KIPP, hehe). But what has it actually done? Based on [this GDPR link] and [this other link], I got a better understanding of why ISO is so essential.

1. ISO 27001 and GDPR

Super relevant to my project since, in a way, it’s like Indonesia’s version of GDPR, especially in the financial sector. Interestingly, the journal I read pointed out that ISO and GDPR share similarities, meaning companies that have already implemented ISO will have an easier time complying with GDPR (yes, ISO really is that meticulous!).

ISO focuses on people, processes, and technology (which, by the way, is also embedded in Bank Indonesia’s regulations, not just GDPR). Another major similarity? The Data Protection Officer (I need to double-check this in BI’s regulations, though). And the most important part? Certification. This serves as proof of compliance with security standards.

That said, GDPR has additional requirements beyond ISO 27001, such as consent, certain rights, and data processing restrictions—which means ISO alone isn’t enough to meet GDPR standards.

2. Case study: Do employees in MSEs actually understand and apply ISO?

Since one of ISO’s three key aspects is people, the real question is: does ISO actually change how people interact with data?

One of the journals I read brought up an interesting theory—“knowledge influences attitudes, which in turn influence behavior.” So? Yep, people need to understand it first!

The research found that ISO helps employees feel more confident in implementing information security and fosters a ‘social pressure’ to comply within the workplace. And—this really clicked with my own thoughts—the journal also highlighted the importance of ongoing education. This means it’s not enough for security standards to be written in big regulatory documents. Even if I propose a framework for technical guidelines, it still won’t be effective unless each PJP (Payment Service Provider) actively promotes and socializes it to their employees.

What about NIST? Should I go deeper into this?

Honestly, I’m a bit torn on whether I should explore NIST further, considering it’s an American government standard(not trying to be political here, but shouldn’t each country have its own standards?).

That said, knowledge-wise, I skimmed some material on NIST, particularly their well-known NIST Cybersecurity Framework (CSF). Turns out, NIST is more technical compared to ISO 27001. The good news? They provide technical guidelines! Which makes it an awesome benchmark reference for my project.

Alright, since this week’s post is already pretty packed, let’s do a deeper dive next week! See you guys!

After previously discussing the Bank Indonesia Regulation (PBI) on Cyber Security and Resilience, in this blog, I want to dive deeper into its derivative regulation, the Member of the Board of Governors Regulation (PADG) on Cyber Security and Resilience (KKS), which provides more detailed guidelines. The key points covered in the PADG include:

1. Purpose & Scope

• Strengthening cyber security and resilience in the financial sector.
• Regulating Payment System Operators (PJP), money market participants, and other entities under BI’s supervision.
• Covering governance, prevention, incident handling, reporting, and sanctions.

2. Cyber Security Governance

• Organizations must develop a KKS strategy & roadmap.
• Conduct regular audits at least once a year (internal or external).
• Provide training & education on cyber security for employees and external partners.

3. Cyber Incident Prevention

• Identify risks & map threats (people, process, technology).
• Protect data & systems (restricted access, encryption, malware detection).
• Conduct real-time threat monitoring & vulnerability testing (at least once a year).

4. Cyber Incident Handling

• Establish a cyber incident response team ready to take action.
• Report incidents to BI (initial notification within 1 hour, full report within 3 days).

5. Sanctions for Violations

• Administrative fines up to IDR 5 million per report.
• Possible sanctions: warnings, temporary suspension, or even license revocation.

6. Collaboration & Information Sharing

• Organizations must share threat information with BI.
• BI has the authority to isolate systems affected by cyberattacks.
• Self-Regulatory Organizations (SROs) are appointed to assist with regulation.

Looking at this regulation, it seems quite comprehensive… but I do see some gaps. So, let’s go back to my dissertation outline.

One key aspect I’m focusing on is the identification and mapping of security standards like ISO 27001, NIST, IEEE, and ECSS. Right now, the KKS regulation does not specify any particular technology standards. My guess? Maybe BI wants to allow PSPs (including PJPs) the flexibility to explore their own technology choices. But is that a good move?

In my opinion, cybersecurity requires clear technical details to address the complexity of modern IT environments. Mtsweni et al. (2018) describe today’s digital landscape as a web of interconnected systems, overlapping processes, and complex organizational structures, much of which operates in a black box. Without well-defined standards, PSPs could implement security measures inconsistently, leading to gaps in protection.

Many studies, including Villalón-Fonseca (2022), emphasize the importance of international standards like ISO 27001, which provides a framework for establishing, implementing, maintaining, and improving an Information Security Management System (ISMS). Mandating at least a minimum level of compliance with this standard would be a solid step forward. Interestingly, BI’s regulatory counterpart, OJK, has already taken this approach, explicitly requiring ISO 27001 for banks under SEOJK 29 – 03 – 2022.

If we look deeper into the core principles of ISO/IEC 27001, it follows a process-based approach, involving planning, implementation, monitoring, review, and continuous improvement—all centered around risk management. The KKS regulation does mention cyber risk, but it doesn’t specify a clear methodology or require a Statement of Applicability (SoA). It also doesn’t address information asset classification, which is crucial for ensuring structured data governance. Some of these aspects are mentioned in the PADG, but again, not in much detail.

This raises an important question: is the lack of detail because the PADG simply isn’t designed to regulate at that level? If that’s the case, then my research could provide recommendations on which areas need more clarity, so that PJP operators don’t have to “guess” their way through compliance. The goal is to ensure flexibility, while still aligning with international best practices for data protection.

Reference:

Mtsweni, J., Gcaza, N., & Thaba, M. (2018). A unified cybersecurity framework for complex environments. SAICSIT 2018, 26–28 September, Port Elizabeth, South Africa.

Villalón-Fonseca, R. (2022). The nature of security: A conceptual framework for integral-comprehensive modeling of IT security and cybersecurity. Computers & Security, 120, 102805. https://doi.org/10.1016/j.cose.2022.102805

Today Euwyn’s storm kept me company all day. It’s been one of those perfectly gloomy days where the rain seems endless, and the grey skies blend seamlessly with the horizon. While many would consider this the perfect excuse to curl up in bed, I decided to make the most of the cozy vibe. With a hot cup of tea in hand, I tackled the “Bank Indonesia Regulation” on “Cyber Security and Resilience.” Surprisingly, it turned out to be a pretty engaging way to spend my afternoon, especially since it ties directly into my upcoming dissertation preparation, officially starting this May.

From what I’ll focus on in my project, I carved out some key takeaways from the regulation that could form the groundwork for my research:

1. Identification of Security Standards
   The regulation emphasizes the importance of following best practices. While it doesn’t explicitly reference international standards, I think frameworks like ISO 27001 are highly applicable, as they address confidentiality, integrity, and data availability. For my dissertation, I’ll likely analyze the standards mentioned in the regulation, compare them to others like NIST or COBIT, and identify any gaps relevant to the Indonesian context.
2. Framework Design
   The regulation includes essential elements of cyber risk management, such as identifying critical assets, conducting periodic risk assessments, and mitigating threats with tech-driven strategies. This aligns well with my goal to develop a framework that integrates policy and technology, tailored specifically to the needs of PSPs (Payment Service Providers) in Indonesia.
3. Audit and Supervision Procedures
   Another point of interest is the regulation’s requirement for internal and external audits to evaluate compliance with security standards and incident reporting to Bank Indonesia. This could inspire a section in my framework detailing effective audit processes, including incident reporting, key performance indicators (KPIs), and leveraging technology for streamlined oversight.
4. Review of Best Technologies and Procedures
   The regulation encourages the adoption of advanced technologies like encryption, threat detection systems, and real-time monitoring. To deepen my analysis, I’ll explore technologies already used in Indonesia, compare them with global trends, and highlight innovations that could boost security and efficiency for PSPs.

After mapping these points, I realized the scope might be too broad. It’s a good reminder to stick to the plan I’ve laid out in my proposal—focus is key! I’m excited to meet with my supervisor soon to refine what specific aspects to delve into for my framework.

Alright, time to wrap up this post—thanks for sticking with me through these musings! Here’s to more gloomy days turning into productive moments. See you in the next blog post!

…and you can check the regulation here! (but i’m so sorry that it is in Bahasa Indonesia).

The first week of a new semester often brings a mix of curiosity and inspiration. With pre-intensive days for “Digital Democratic Innovation” underway, I’ve been diving into resources that feel unexpectedly connected to my project, “Practical Data Security Framework for Payment Service Providers in Indonesia.” It’s thrilling to see how concepts from seemingly different realms can inform and enrich one another. Let’s explore these connections.

1. Building Trust through Data Transparency
   Transparency lies at the heart of both Digital Democratic Innovation (DDI) and effective governance frameworks. As noted in discussions on democratic participation, transparency fosters trust between institutions and citizens​. For PJPs in Indonesia, integrating transparency—such as publishing public reports on data security practices and responses to cyber incidents—could elevate accountability and demonstrate a commitment to safeguarding user data.
2. Collaboration via Participatory Platforms
   DDIs illustrate the power of participatory platforms to broaden public engagement​. This idea aligns perfectly with the possibility of PJPs using similar platforms to involve users in shaping data security policies or even reporting cyber threats. A collaborative approach not only strengthens defenses but also empowers users as stakeholders in the digital ecosystem.
3. Security as the Foundation for Digital Participation
   A secure digital environment is essential for fostering inclusive participation​. By establishing a robust data security framework, PJPs can enable trust in emerging services like digital wallets. This not only enhances user confidence but also creates a safer space for broader digital engagement—a cornerstone of future innovation.
4. Leveraging Technology for Equity and Inclusion
   DDI emphasizes fairness and inclusion, and technology plays a vital role in leveling the playing field​. By employing advanced tools like AI-driven encryption and decentralized systems, PJPs can ensure equitable protection of personal data, regardless of users’ socio-economic status.
5. Innovative and Decentralized Solutions
   Lessons from platform governance show that decentralized systems, such as blockchain, offer enhanced accountability and efficiency​. Incorporating these into a data security framework could introduce groundbreaking ways to protect user data while maintaining operational resilience.

It’s amazing how DDI principles, designed to enhance democratic engagement, can influence the technical and governance aspects of data security. For me, this connection underscores the beauty of interdisciplinary thinking: the realization that our approaches to governance, innovation, and security can inform and support each other in unexpected ways.

Reference:

• Ansell, C., & Miura, S. (2019). Can the power of platforms be harnessed for governance? Public Administration, 98(1), 261–276.
• Whittington, O. (2022). Democratic innovation and digital participation: Harnessing collective intelligence for 21st-century decision-making. Nesta. ISBN: 978-1-913095-67-3​
• Mikhaylovskaya, A. (2024). Enhancing deliberation with digital democratic innovations. Philosophy & Technology, 37(3), 1–24.
• Escobar, O. (2017). Pluralism and democratic participation: What kind of citizen are citizens invited to be? Contemporary Pragmatism, 14(4), 416–438.

While waiting to pitch to Claire this week, I was triggered to ponder (again).
“Why is Indonesia so often attacked by Ransomware or other cyber attacks?”

I googled it for fun, and the top answer immediately made me nod:
“The region’s growing strategic relevance makes it a prime target for cyberattacks. Cyber resilience is generally low, and countries have varying levels of cyber readiness,” said the Kearney report. And sadly, “there is a lack of strategic mindset, policy preparedness and institutional oversight relating to cybersecurity.”

Ouch, that last part is really true. Even though I’m not from the ministry of communication and information, as a central banker (er, or ex-central banker yes, because now I’m a student again 😅), I still find this sad. I’m still part of the public officials who are responsible, at least morally. That’s why I became curious and tried to explore what’s behind this situation.

The Kearney report also said that the cybersecurity industry in ASEAN still lacks local competence and a comprehensive framework. As a result, the value of risk is often underestimated, and the budget allocated is far from sufficient. Data shows that Indonesia’s spending on cybersecurity is only 0.02% of GDP-the lowest in Southeast Asia.

From there, it’s clear why ASEAN, especially Indonesia, is an easy target for cyber attacks. 😬

Uh, suddenly the pitching time came!

I was nervous too… I was given 3 minutes to pitch about what I’ve learned this semester, and what topic I’m going to raise as a project. But, honestly, I wasn’t too scared. The pitch actually felt like a retelling of what I’ve written on this blog. So, the decision to consistently write every week was never wrong!

And thank God, my proposed project was accepted!

If God permits, I will move forward with the topic of Data Management x Data Governance, which I narrowed down to Data Privacy. After much discussion, I decided to focus on “Practical Data Security Framework for Payment Service Providers (PJPs) in Indonesia.” I’ve been discussing this topic for the past few weeks, so it feels more solid to be the main project.

Yesterday’s pitch also gave me a lot of feedback from Cristian and Claire. Some important notes:

• Cristian: Will probably pair me with a supervisor who understands the technical side. I’ve clarified that I’m not from an IT background, so I don’t understand tech details. But Cristian said it’s really important to have a “broader view.” Technology is a global solution, but in Indonesia there are definitely bias factors-whether it’s political, cultural, or otherwise-that need to be considered.
• Claire: He emphasized the importance of knowing whether the relevant regulations are in place. “The ministry only regulates the amount, so there needs to be derivative regulations.” Claire also asked if I had imagined what the research would be like. Well, to be honest, I haven’t, because I want it to be compact and not complicated (understandably, time is short). But I think a discussion with my supervisor will help me strategize more clearly.
  After that, I immediately told my mentor at the office, and as usual, no-rest-no-rest club! He immediately pointed out the Board of Governors Regulation on Cybersecurity. Of course, this became my mandatory reading material for further study.

Stay tuned for the rest of the story in the next post! ✨

Reference:

https://www.researchgate.net/publication/328848243_A_unified_cybersecurity_framework_for_complex_environments

Hi there! It’s been a while since we caught up!
No one asked, but just so you know—I’m doing well! Although I’m feeling a bit under the weather today, probably because I just finished an intense 10-day study week. But hey, no time to rest; it’s time to start making progress again!

After doing some initial benchmarking to see how other central banks draft regulations on data management—specifically data security—it’s time to dive deeper into the key subtopics I plan to research:

1. Identifying Security Standards — this post will focus on this one
2. Designing a Framework
3. Audit and Monitoring Procedures
4. Reviewing the Best Technologies and Practices

Identifying Security Standards

What exactly are security standards for state organizations?
Simply put, they’re a set of guidelines and best practices designed to protect sensitive and confidential information. These standards help organizations:

• Mitigate risks,
• Reduce vulnerabilities,
• Ensure regulatory compliance,
• Maintain public trust, and
• Avoid legal consequences.

The key phrase here is “set of guidelines and best practices”—and that’s why I’m confident this topic is a great fit for my project. It aligns perfectly with this definition, which I found through my trusted friend: the internet search box.

Diving Into Initial Findings

While exploring security standards for state organizations, I came across a paper that outlines some valuable frameworks applicable to state-level operations (not just for my institution). Here are a few that stood out:

1. ECSS (European Cooperation for Space Standardization):
   Initially created for space systems, ECSS standards are helpful for early-phase security requirements. They emphasize defining security measures like access control, data integrity, and redundancy from the start.
2. IEEE (Institute of Electrical and Electronics Engineers):
   IEEE focuses on security as a non-functional requirement, addressing attributes like protection against unauthorized access, modification, or destruction of data. This includes encryption, integrity checks, and communication restrictions.
3. ISO (International Organization for Standardization):
   ISO offers a broader take on security, especially through standards like:
   • ISO 25010, which highlights information protection, system availability, and secure communication over public networks.
   • ISO 27034, which focuses on application security, advocating risk assessments and security controls tailored to the application’s required trust level.

To narrow down which standards are most relevant for state organizations, it’s crucial to consider the unique context, regulatory requirements, and security needs. Other resources like NIST (National Institute of Standards and Technology) publications could also come in handy for further exploration.

Next Steps?

While I’ve started looking at these standards, I’m holding off on diving too deep into specifics just yet. My next immediate task is to reflect on what I’ve learned during this first semester and decide if I can shape my dissertation topic around Data Governance—specifically focusing on consumer data protection by Payment Service Providers (PJP).

So stay tuned! I’ll share more updates next week.

Reference list:

The Complete List of Data Security , What are information security standards?, Cyber Security Standards

I’m a big believer in small steps. Making progress every day, even just a bit, keeps me going.

Right now, that means immersing myself in my future project for KIPP: ‘Data Security for State Institutions in Indonesia.’ Still, I’m grappling with exactly which aspect of data management I should focus on.

The backbone of my research is the Personal Data Protection Law (UU No. 27 Tahun 2022), which outlines several key security standards for managing personal data. Among these are:

1. Data Protection Impact Assessments – Requires data controllers to conduct risk assessments for large-scale data processing, automated decision-making, new technology, and any processing that restricts data subjects’ rights.
2. Operational Security Measures – Data controllers must ensure data protection through suitable technical measures and security levels aligned with the data’s risk level.
3. Monitoring and Unauthorized Access Prevention – Data controllers should safeguard data confidentiality, oversee third-party involvement, and maintain a robust security system.
4. Purpose-Limited Processing – Ensures data is processed accurately and responsibly to protect the rights of data subjects.
5. Transparency and Accountability – Guarantees open processing practices, provides data access to subjects, and clearly communicates processes in an accessible manner.

For my project, I’m zeroing in on points 2 and 3. I think my ‘future expertise’ could help organizations create a framework for data management practices by Payment Service Providers (we called is as PJP) in Indonesia. Plus, it would establish protocols for monitoring and preventing unauthorized access to meet PDP Law requirements.

Explaining the benchmarking research on BoE: To deepen my understanding, I’ve done some initial benchmarking on data privacy and security management with central banks, specifically the Bank of England, which has been my host during my time here. In the UK, the Information Commissioner’s Office (ICO) oversees Payment Service Providers, similar to how data privacy is regulated by Indonesia’s Ministry of Communication. However, considering recent data breaches back home, it’s clear we have some catching up to do.

Back to the topic! When it comes to PSP oversight and data security standards, BoE has laid out several significant steps:

1. Outsourcing and Third-Party Risk Management [link]:
   • Data Protection in Outsourcing Agreements: Banks and PSPs must define, document, and understand their responsibilities related to data transfers.
   • Rights to Access, Audit, and Information: Banks have the right to access and audit third-party service providers, ensuring their adherence to data security standards.
   • Sub-outsourcing: Banks must ensure that any subcontractors also meet data protection standards.
2. Operational Resilience [link]: BoE emphasizes that PSPs should have resilient systems capable of withstanding disruptions, including personal data breaches.
3. Privacy Policy Commitments [link]: BoE is committed to protecting individual privacy, ensuring personal data processing aligns with established principles.

This benchmarking exercise will be instrumental in shaping my project. I’m likely to cover the following aspects:

• Security Standards Identification
• Framework Design
• Audit and Monitoring Procedures
• Best Practices in Technology and Procedures

I think these steps could serve as practical guidelines not only for the office but also for PJP data protection practices across Indonesia.

“It’s better to make a bit of progress each day than to let things pile up,” is a quote I’d probably coin if I were someone important. But, alas, I’m not (yet). Still, I’m no fan of last-minute rushes either! I’m all about installments, step by step. That brings me to my latest deep dive: data management.

This week, I managed to squeeze in a quick chat with one of my seniors at work, who’s practically a data management guru. “I’m planning to bring up data management as a topic; any insights? Especially for state institutions, and ideally with some added value for our office.” Given his packed schedule—working in a department that’s practically open 25 hours a day—he got right to the point: “Have you checked out the PDP Act? We’re starting to draft derivative regulations that apply to Payment Service Providers (PJP).”

So, I looked it up, and suddenly it all seemed familiar! The PDP Act incorporates sections ‘adopted’ from the GDPR, the data protection law used across the EU. Naturally, my thoughts shifted to my research focus: Could this be the core of my study? Data Management, specifically Data Security, for citizens whose personal data is registered with PJPs in Indonesia—now that could be something impactful.

Hours went by, and my senior hadn’t replied. Maybe it was the seven-hour time difference, or maybe he got pulled back into office chaos. Either way, I decided not to wait around and started diving into references on my own to get things moving.

It seems I’m steering toward “Development of a Data Security Framework for Payment Service Providers (PJP) in Indonesia based on the PDP Law.” In further stages, I’m thinking of exploring:

1. Identification of Security Standards
2. Framework Design
3. Audit and Monitoring Procedures
4. Review of Leading Technologies and Best Practices

I think this won’t just stop at meeting campus or office needs but could become a practical guide with concrete steps for PJPs across Indonesia. Here’s to making steady progress, one day at a time!

Honestly, I haven’t made much progress this week. With so many college assignment deadlines looming, it’s been a bit hectic! But hey, my commitment is to keep making progress every week, no matter what.

So, what’s on the agenda for the blog this week? No, I’m not talking about Liam Payne (again), but I have two topics that I hope won’t bore you:

1. Data Governance in Central Banks

To kick off my research, I need to dive into best practices from central banks around the world, especially when it comes to Data Governance. I found some interesting references [link] that explain how strategic data governance involves things like Data Catalogues, Data Warehouses, Data Virtualization, Data Marts, Data Lakes, and Data Lakehouses.

After reading up on this, I started exploring what my organization is doing in terms of data governance. I reached out to some senior colleagues and learned that we have a data factory (focused on content and use case/analytic apps) and data solution analytics, which includes a data lake, data virtualization, data catalog, data preparation, analytics tools, and visualization portals. From what I gathered, my organization is doing pretty well in its data governance efforts since we cover all the essential aspects. This might mean that my research topic should shift focus away from data governance and lean more into other areas of data management.

2. Research Method

During our last meeting, our lovely Prof. Cleire encouraged us to think about the research methods we might use. Honestly, I only know about qualitative and quantitative methods, but that doesn’t really cover it! ChatGPT has become my go-to buddy for this, and today we had a friendly debate about the best research method for my dissertation. It’s still early to make a final decision, but it never hurts to start brainstorming, right?

After our 15-minute discussion, I found two research approaches that caught my interest:

• Mixed Methods: This could allow me to combine both quantitative and qualitative research. For the quantitative part, I might benchmark against several related organizations. The qualitative side is where it gets tricky; I’d love to conduct in-depth interviews with professionals in the field of data management. The challenge? I’m not super active on LinkedIn, so my professional network is still pretty small. But I’m determined to make it happen—hopefully, some of the awesome professors at my campus can help me out!
• Case Study: I’m a bit unsure about this one because it feels somewhat similar to quantitative research. I would select several related organizations and conduct observations within them. Don’t worry, once I nail down my research topic, I’ll dive deeper into this method so it’s clearer.

So, what’s next for me? Definitely not sleeping—how dare you suggest that! It’s time to start thinking seriously because data management is a vast topic. I need to focus on specific aspects to explore, whether it’s about data storage, the use of digital signatures, data access, or something else entirely.

That’s it for now, folks! Let’s catch up next week, okay?

When I was little, I dreamed of becoming a dentist. A few years later, that dream shifted to becoming a singer. But finally, at the age of 26, God gave me the chance to become a central banker. Yes, not as an economist, but entrusted with a role in governance.

Over the past four years, I’ve experienced so many new things that I never imagined. One of them was being “hacked”—something I usually only hear about in mafia movies. Not at the level of Bong Joon Ho or Martin Scorsese, just your typical Indonesian director that I enjoy watching, haha. Back to the “hack” story: I clearly remember sitting in front of my laptop, doing my usual tasks, preparing documents for the Board Meeting, when suddenly my laptop froze. In about five minutes, all my Microsoft Word document formats had changed. Gone were the familiar “docx” or “pptx” extensions, replaced by five random letters filled with x, y, and z. I thought I was safe since I had backed everything up to my office OneDrive (thanks to automatic syncing). But, surprise! Everything on OneDrive was gone as if it had been swallowed by the earth.

You know what really annoyed me? I had completed four sets of meeting minutes that I hadn’t submitted to my supervisor for review yet. Did I have to start over? Absolutely. What made it challenging was that my notes were also gone. So where was I supposed to begin? Considering that during the Board Meeting, no voice or video recordings were allowed at all. At that moment, I was truly stressed. I wondered whose fault it was. Was it the IT department that failed to maintain our office’s security? Or was it Microsoft’s fault for being so easily hackable? Or was it my fault for trusting this tech stuff too much?

In the end, I started over from scratch with the help of my supervisor who was there with me… aka “what else could I do?”

Organizations that have migrated to cloud-based data storage and collaboration tools must reassess their information security strategies and may find that their on-premises security technologies cannot protect data stored in the cloud (Lang et al., 2023). I completely agree with this. However, it seems my organization has implemented some effective measures, as we haven’t experienced any ransomware attacks in the past three years (let’s hope it stays that way). One of the steps being implemented is the use of Multi-Factor Authentication (MFA) whenever employees log into their Microsoft 365 accounts. Unfortunately, some boomers still protest this, seeing it as just an added burden to their workload.

From what I’ve read, many cloud providers now support Data Loss Prevention (DLP) to classify and control various data, and they offer “always-on encryption” through Information Rights Management (IRM), which governs what authorized users can do and prevents all files from being stolen without a valid login. Vendors are currently developing sophisticated integrated approaches, called Extended Detection and Response (XDR).

Perhaps these reflections provide some context for why I chose data management as the topic for my KIPP project. I believe many organizations, especially in Indonesia, overlook the importance of data management, which is foundational to institutional governance. Recently, Indonesia was shocked by a ministry that failed to back up data containing personal information of its citizens. This question sparked my curiosity during our Future Governance class.

The “what-if” scenarios commonly used in fiction, particularly science fiction, serve as tools to explore new ideas while disregarding current realities (Dunne and Raby, 2023). This notion seems to fuel my desire to delve deeper into this topic. I hope that through my daily reflections on this blog, I can progressively share the research process regarding data management in organizations.

Alright, it’s time to scroll back through Twitter to find some more inspiration. Besides checking out the news about Liam Payne’s passing, I need a breather from Google Scholar, my bestie.

Reference:

Michael Lang, Lena Connolly, Paul Taylor, and Phillip J. Corner. 2023. The Evolving Menace of Ransomware: A Comparative Analysis of Pre-pandemic and Mid-pandemic Attacks. Digital Threats 4, 4, Article 52 (December 2023), 22 pages. https://doi.org/10.1145/3558006

DUNNE, A., & RABY, F. (2013). Speculative Everything: Design, Fiction, and Social Dreaming. The MIT Press. http://www.jstor.org/stable/j.ctt9qf7j7