2. Objectives:
• 7.1 Introduction
• 7.2 Concepts and Activities
• 7.2.1 Understand Data Security Needs and Regulatory Requirements
• 7.2.1.1 Business Requirements
• 7.2.1.2 Regulatory Requirements
• 7.2.2 Define Data Security Policy
• 7.2.3 Define Data Security Standards
• 7.2.4 Define Data Security Controls and Procedures
• 7.2.5 Manage Users, Passwords, and Group Membership
• 7.2.5.1 Password Standards and Procedures
• 7.2.6 Manage Data Access Views and Permissions
• 7.2.7 Monitor User Authentication and Access Behavior
• 7.2.8 Classify Information Confidentially
• 7.2.9 Audit Data Security
• 7.3 Data Security in Outsourced World
3. 7 Data Security Management
• Data Security is the fifth Data Management Function in
the Data Management framework in Chapter 1.
• Fourth data management function that interacts with
and influenced by Data Governance function.
• In this Chapter, we will defined the Data Security
Management Function and Explains the Concepts and
Activities involved in Data Security Management.
4. 7.1 Introduction:
• Data Security Management is the Planning, Development, and
Execution of Security Policies and Procedures to Provide Proper
Authentication, Authorization, Access, and Auditing of Data and
Information assists.
• Effective Data Security Policies and Procedures ensure that the
right people can use and update data in the right way and all
inappropriate access and update is restricted.
• Understanding and complying with privacy and confidentiality
interests and needs of all stakeholders is in the best interest of any
organization.
• Establishes judicious governance mechanisms that are easy
enough to abide by a daily operational basis by all stakeholders.
5.
6. 7.2 Concepts and Activities
• The Goal is to protect information assets in alignment with privacy
and confidentiality regulations and business requirements.
• The sources of Data Security management requirement come from:
• Stakeholder concerns: including clients, patients, students…etc.
• Government Regulations: protect stakeholder interests. Some
of them restrict access to information, while other ensure
openness, transparency, and accountability.
• Proprietary Business Concerns: ensuring competitive
advantage provided by intellectual property and intimate
knowledge of customer needs.
• Legitimate access Needs: Data security implementers must
understand legitimate need for data access.
7. 7.2 Concepts and Activities
• Data Security requirements and procedures to meet these
requirements can be categorized into four basic groups:
• Authentication: Validate users are who they say they are.
• Authorization: Identify the right individuals and grant
them the right privileges to specific, appropriate views of
data.
• Access: Enable these individuals and their privileges in a
timely manner.
• Audit: Review Security actions and user activity to ensure
compliance with regulations and conformance with policy
and standards.
8. •7.2.1 Understand Data Security Needs and
Regulatory Requirements
• Important to distinguish between rules and procedures, and the rules imposed
by application software products.
• Application systems serve as vehicles to enforce business rules and procedures.
• It is common for these systems to have their own unique set of data security
requirements over and above those required for business processes.
• These unique requirements are becoming more common with packaged and off-
the-shelf systems.
• Therefore, this activity divide into two sub-activities:
• 7.2.1.1 Business Requirements
• 7.2.1.2 Regulatory Requirements
9. •7.2.1.1 Business Requirements
• Begin with a through understanding of business requirements.
• Business mission and strategy percolates through data strategy must be the
guiding factor in planning data security policy.
• Address short-term and long-term goals to achieve a balanced and effective data
security function.
• There is a degree of data security defined through the business needs of an
enterprise depending on the size of enterprises and the choice to have extended
data security.
• The security is touch points means every business rules and processes have its
own security requirements. Therefore, tools such as “Data-to-process” and
“Data –to-role” relationship matrices are useful tools to map these needs.
• Identify detailed application security requirements in the analysis phase of
every systems development project.
10. •7.2.1.2 Regulatory Requirements
• Organizations required to comply with growing set of regulations.
• The ethical and legal issues facing organizations in the information age are
leading governments to establish new laws and standards.
• Requirements of several newer regulations, like:
• United States Sarbanes-Oxley Act of 2002, Canadian Bill 198
• CLEBRP Act of Australia
• Have all imposed strict security controls on information management.
• The European Union’s Basel II Accord
• imposes information controls for all financial institutions doing business in
related countries.
• In Saudi Arabia, NDMO Related to SADIA
• imposes information controls for all government and non-government sectors
related to Information.
11. •7.2.2 Define Data Security Policy
• Data Security Policy is a collaborative effort from IT security
administrators, Data Stewards, internal and external audit teams,
and legal department. Reviewed and approved from Data
Governance council.
• IT security policy and Data Security Policy is part of combined
Security Policy. However, Should separate them out.
• Data Security Policies are more granular in nature and take a very
data-centric approach.
• Defining directory structures and an identity management
framework can be IT Security Policy component,
• Whereas defining the individual application, Database roles, User
groups, and password standards can be part of the Data Security
Policy.
12. 7.2.3 Define Data Security Standards
• Organizations should design their own Security controls,
demonstrate them to meet the requirements of the law and
regulations and document them.
• IT strategy and standards can also influence:
• Tools used to manage data security
• Data encryption standards and mechanisms.
• Access guidelines to external vendors and contractors.
• Data transmission protocols over the internet.
• Documentation requirements.
• Remote access standards.
• Security breach incident reporting procedures.
13. 7.2.3 Define Data Security Standards
• Physical Security standards, as part of enterprise IT policies:
• Access to data using mobile devices.
• Storage of data on portable devices such as laptops, DVDs, or USB drives.
• Disposal of these devices in compliance with records management
policies.
• The focus should be on quality and consistency, not creating a huge body of
guidelines.
• Should be in a format that is easily accessible by suppliers, consumers, and
stakeholders.
• Should be satisfying the four A’s “authentication, authorization, access and
audit”
14. 7.2.4 Define Data Security Controls and
Procedures
• Implementation and administration of data security policy is
primarily the responsibility of security administrators. DB
Security is often one responsibility of “DBAs”.
• Implementing a proper controls to meet the objectives of
pertinent laws.
• Implementing a process to validate assigned permissions
against change management system used for tracking all user
permission requests.
• The control may also require a workflow approval process or
signed paper from to record and document each request.
15. 7.2.5 Manage Users, Passwords, and Group Membership
• Access and Update can be granted to individual user accounts. However, may
results of redundant effort.
• Role groups enable security administrators to define privileges by role, and to
grant these privileges to users by enrolling them in.
• Try to assign each user to only one role group.
• Construct group definitions at a workgroup and organize roles in hierarchy, “child
roles restrict the privileges of parent roles”. (roles management) Figure 7.2
• Security administrators create, modify and delete user accounts and groups.
• Changes made to the group taxonomy and membership should require some level
of approval, and tracking using a change management system.
• Data consistency in user and group management is a challenge in a
heterogeneous environment.
• To avoid data integrity issues, manage user identity data and role-group
membership data centrally.
16.
17. 7.2.5.1 Password Standards and Procedures
• Passwords are the first line of defense in protecting access to data.
• Typical password complexity requirements require a password to:
• Contain at least 8 characters.
• Contain an uppercase letter and a numeral.
• Not be the same as the username
• Not be the same as the previous 5 passwords used.
• Not contain Complete dictionary words in any language.
• Not be incremental (password1, Password2, etc).
• Not have two characters repeated sequentially.
• Avoid using adjacent characters from the keyboard.
• If the system supports a space in passwords, then a ‘pass phrase’ can be
used.
• The capability ‘single-sign-on’ should be implemented.
• Users to change their passwords every 45 to 60 days is required.
• Security administrators and help desk analysts assist in troubleshooting and
resolving password related issues.
18. 7.2.6 Manage Data Access Views and Permissions
• Valid and appropriate access to data. Control sensitive data access by granting
permissions (opt-in). Without permission, a user can do nothing.
• Control data access at an individual or group level:
• Smaller organizations may find it acceptable to manage data access.
• Larger organizations will benefit greatly from role-based access control,
granting permissions to role groups.
• RDB views provide another important mechanism for data security, enabling
restrictions to data in tables to certain rows based on data values.
• Access control degrades when achieved through shared or service accounts
• Evaluate use of such accounts carefully, and never use them frequently or by
default.
19. 7.2.7 Monitor User Authentication and Access Behavior
• Monitoring authentication and access behavior is critical because:
• It provides information about who is connecting and accessing information
assets, which is a basic requirement for compliance auditing.
• It alerts security administrators to unforeseen situations, compensating for
oversights in data security planning, design, and implementation.
• Monitoring helps detect unusual or suspicious transactions that may warrant
further investigation and issue resolution.
• Systems containing confidential information such as salary, financial data, etc.
commonly implement active, real-time monitoring. “send notification to the
data stewards”
20. 7.2.7 Monitor User Authentication and Access Behavior
• Passive monitoring tracks changes over time by taking snapshots of the
current state of a system at regular intervals and comparing trends against a
benchmark or defined set of criteria.
• Automated monitoring does impose an overhead on the underlying systems.
• Enforce monitoring at several layers or data touch points. Monitoring can be:
• Application specific.
• Implemented for certain users and / or role groups.
• Implemented for certain privileges.
• Used for data integrity validation.
• Implemented for configuration and core meta-data validation.
• Implemented across heterogeneous systems for checking dependencies.
21. 7.2.8 Classify Information Confidentially
• A simple confidentiality classification schema used to classify an enterprise’s
data and information products.
• Five confidentiality levels followed by the schema:
• For General Audiences: available to everyone
• Internal use only: information limited to employees or members.
• Confidential: information should not be shared outside the organization.
• Restricted Confidential: information limited to individuals performing certain roles with the
”need to know”.
• Registered Confidential: information that anyone accessing should sign a legal agreement to
access data.
• Classify documents and reports based on the highest level of confidentiality for
any information found within the document. Through labeling.
• Correctly classifying and labeling the appropriate confidentiality level for each
document.
• Also, classify databases, relational tables, columns, and views. Information
confidentiality classification is an important meta-data characteristic, guiding
how users are granted access privileges.
• Data Stewards are responsible for evaluating and determining the appropriate
confidentiality level for data.
22. 7.2.9 Audit Data Security
• Auditing data security is a recurring control activity with responsibility to
analyze, validate, counsel, and recommend policies, standards, and
activities related to data security management.
• Data Security auditors
• should not have direct responsibility for the activities being audited
• Provide management and the data governance council with objectives, unbiased
assessments, and relational, practical recommendations.
• Data security policy statements, standards documents, implementation
guides, change requests, access monitoring logs, report outputs, and other
records from the basis of auditing.
23. 7.2.9 Audit Data Security
• Auditing data security includes:
• Analyzing data security policy and standards against best practices and needs.
• Analyzing implementation Procedures and actual practices to ensure consistency with data
security goals, polices, standards, guidelines, and desired outcomes.
• Assessing whether existing standards and procedures are adequate and in alignment with
business and technology requirements.
• Verifying the organization is in compliance with regulatory requirements.
• Reviewing the reliability and accuracy of data security audit data.
• Evaluating escalation procedures and notification mechanisms in the event of data security
breach.
• Reviewing contracts, data sharing agreements, and data security obligations of outsourced and
external vendors, ensuring they meet their obligations, and ensuring the organization meets its
obligations for externally sourced data.
• Reporting to senior management, data stewards, and other stakeholders on the ‘State of Data
Security’ within the organization and the maturity of its practices.
• Recommending data security design, operational, and compliance improvements.
• Auditing data security is no substitute for effective management of data security.
• Auditing is a supportive, repeatable process, which should occur regularly,
efficiently, and consistently.
24. 7.3 Data Security in an Outsourced World
• The Option of Outsourcing in Organization is in order and may
happened, Only “Liability” is not.
• Outsourcing IT Operations Introduces additional data security
challenges and responsibilities. “number of people sharing
accountability for data access”.
• Which lead to explicitly defined as “Contractual Obligations”.
• Contracts must specify the responsibilities and expectations of
each role.
• Risk are escalated to include outsource vendor “external risk and
internal risk”.
25. 7.3 Data Security in an Outsourced World,
continuo.
• Transferring control, but not accountability, requires tighter risk
management and control mechanisms. Such:
• Service Level agreements.
• Limited Liability Provisions in the outsourcing contract.
• Right-to-audit clauses in the contract.
• Clearly defined consequences to breaching contractual obligations.
• Frequent data security reports from the service vendor.
• Independent monitoring of vendor system activity.
• More frequent and through data security auditing.
• Constant communication with the service vendor.
• In outsourced environment, ‘chain of custody’ Analysis should maintained
related with “CRUD” Processes.
• RACI “Responsible, Accountable, Consulted, and informed” matrices help
clarify roles, duties and responsibilities of data security requirements.
“can be apart of contractual agreements”
• In outsourcing IT Operations, required appropriate compliance
mechanisms.