SlideShare a Scribd company logo

chapter7-220725121544-6a1c05a5.pdf

•
•
M
MahmoudSOLIMAN380726

chapter7-220725121544-6a1c05a5.pdf

Engineering
1 of 25
Download to read offline
Data Security Management Ahmed Alorage
Objectives: • 7.1 Introduction • 7.2 Concepts and Activities • 7.2.1 Understand Data Security Needs and Regulatory Requirements • 7.2.1.1 Business Requirements • 7.2.1.2 Regulatory Requirements • 7.2.2 Define Data Security Policy • 7.2.3 Define Data Security Standards • 7.2.4 Define Data Security Controls and Procedures • 7.2.5 Manage Users, Passwords, and Group Membership • 7.2.5.1 Password Standards and Procedures • 7.2.6 Manage Data Access Views and Permissions • 7.2.7 Monitor User Authentication and Access Behavior • 7.2.8 Classify Information Confidentially • 7.2.9 Audit Data Security • 7.3 Data Security in Outsourced World
7 Data Security Management • Data Security is the fifth Data Management Function in the Data Management framework in Chapter 1. • Fourth data management function that interacts with and influenced by Data Governance function. • In this Chapter, we will defined the Data Security Management Function and Explains the Concepts and Activities involved in Data Security Management.
7.1 Introduction: • Data Security Management is the Planning, Development, and Execution of Security Policies and Procedures to Provide Proper Authentication, Authorization, Access, and Auditing of Data and Information assists. • Effective Data Security Policies and Procedures ensure that the right people can use and update data in the right way and all inappropriate access and update is restricted. • Understanding and complying with privacy and confidentiality interests and needs of all stakeholders is in the best interest of any organization. • Establishes judicious governance mechanisms that are easy enough to abide by a daily operational basis by all stakeholders.
7.2 Concepts and Activities • The Goal is to protect information assets in alignment with privacy and confidentiality regulations and business requirements. • The sources of Data Security management requirement come from: • Stakeholder concerns: including clients, patients, students…etc. • Government Regulations: protect stakeholder interests. Some of them restrict access to information, while other ensure openness, transparency, and accountability. • Proprietary Business Concerns: ensuring competitive advantage provided by intellectual property and intimate knowledge of customer needs. • Legitimate access Needs: Data security implementers must understand legitimate need for data access.
7.2 Concepts and Activities • Data Security requirements and procedures to meet these requirements can be categorized into four basic groups: • Authentication: Validate users are who they say they are. • Authorization: Identify the right individuals and grant them the right privileges to specific, appropriate views of data. • Access: Enable these individuals and their privileges in a timely manner. • Audit: Review Security actions and user activity to ensure compliance with regulations and conformance with policy and standards.
•7.2.1 Understand Data Security Needs and Regulatory Requirements • Important to distinguish between rules and procedures, and the rules imposed by application software products. • Application systems serve as vehicles to enforce business rules and procedures. • It is common for these systems to have their own unique set of data security requirements over and above those required for business processes. • These unique requirements are becoming more common with packaged and off- the-shelf systems. • Therefore, this activity divide into two sub-activities: • 7.2.1.1 Business Requirements • 7.2.1.2 Regulatory Requirements
•7.2.1.1 Business Requirements • Begin with a through understanding of business requirements. • Business mission and strategy percolates through data strategy must be the guiding factor in planning data security policy. • Address short-term and long-term goals to achieve a balanced and effective data security function. • There is a degree of data security defined through the business needs of an enterprise depending on the size of enterprises and the choice to have extended data security. • The security is touch points means every business rules and processes have its own security requirements. Therefore, tools such as “Data-to-process” and “Data –to-role” relationship matrices are useful tools to map these needs. • Identify detailed application security requirements in the analysis phase of every systems development project.
•7.2.1.2 Regulatory Requirements • Organizations required to comply with growing set of regulations. • The ethical and legal issues facing organizations in the information age are leading governments to establish new laws and standards. • Requirements of several newer regulations, like: • United States Sarbanes-Oxley Act of 2002, Canadian Bill 198 • CLEBRP Act of Australia • Have all imposed strict security controls on information management. • The European Union’s Basel II Accord • imposes information controls for all financial institutions doing business in related countries. • In Saudi Arabia, NDMO Related to SADIA • imposes information controls for all government and non-government sectors related to Information.
•7.2.2 Define Data Security Policy • Data Security Policy is a collaborative effort from IT security administrators, Data Stewards, internal and external audit teams, and legal department. Reviewed and approved from Data Governance council. • IT security policy and Data Security Policy is part of combined Security Policy. However, Should separate them out. • Data Security Policies are more granular in nature and take a very data-centric approach. • Defining directory structures and an identity management framework can be IT Security Policy component, • Whereas defining the individual application, Database roles, User groups, and password standards can be part of the Data Security Policy.
7.2.3 Define Data Security Standards • Organizations should design their own Security controls, demonstrate them to meet the requirements of the law and regulations and document them. • IT strategy and standards can also influence: • Tools used to manage data security • Data encryption standards and mechanisms. • Access guidelines to external vendors and contractors. • Data transmission protocols over the internet. • Documentation requirements. • Remote access standards. • Security breach incident reporting procedures.
7.2.3 Define Data Security Standards • Physical Security standards, as part of enterprise IT policies: • Access to data using mobile devices. • Storage of data on portable devices such as laptops, DVDs, or USB drives. • Disposal of these devices in compliance with records management policies. • The focus should be on quality and consistency, not creating a huge body of guidelines. • Should be in a format that is easily accessible by suppliers, consumers, and stakeholders. • Should be satisfying the four A’s “authentication, authorization, access and audit”
7.2.4 Define Data Security Controls and Procedures • Implementation and administration of data security policy is primarily the responsibility of security administrators. DB Security is often one responsibility of “DBAs”. • Implementing a proper controls to meet the objectives of pertinent laws. • Implementing a process to validate assigned permissions against change management system used for tracking all user permission requests. • The control may also require a workflow approval process or signed paper from to record and document each request.
7.2.5 Manage Users, Passwords, and Group Membership • Access and Update can be granted to individual user accounts. However, may results of redundant effort. • Role groups enable security administrators to define privileges by role, and to grant these privileges to users by enrolling them in. • Try to assign each user to only one role group. • Construct group definitions at a workgroup and organize roles in hierarchy, “child roles restrict the privileges of parent roles”. (roles management) Figure 7.2 • Security administrators create, modify and delete user accounts and groups. • Changes made to the group taxonomy and membership should require some level of approval, and tracking using a change management system. • Data consistency in user and group management is a challenge in a heterogeneous environment. • To avoid data integrity issues, manage user identity data and role-group membership data centrally.
7.2.5.1 Password Standards and Procedures • Passwords are the first line of defense in protecting access to data. • Typical password complexity requirements require a password to: • Contain at least 8 characters. • Contain an uppercase letter and a numeral. • Not be the same as the username • Not be the same as the previous 5 passwords used. • Not contain Complete dictionary words in any language. • Not be incremental (password1, Password2, etc). • Not have two characters repeated sequentially. • Avoid using adjacent characters from the keyboard. • If the system supports a space in passwords, then a ‘pass phrase’ can be used. • The capability ‘single-sign-on’ should be implemented. • Users to change their passwords every 45 to 60 days is required. • Security administrators and help desk analysts assist in troubleshooting and resolving password related issues.
7.2.6 Manage Data Access Views and Permissions • Valid and appropriate access to data. Control sensitive data access by granting permissions (opt-in). Without permission, a user can do nothing. • Control data access at an individual or group level: • Smaller organizations may find it acceptable to manage data access. • Larger organizations will benefit greatly from role-based access control, granting permissions to role groups. • RDB views provide another important mechanism for data security, enabling restrictions to data in tables to certain rows based on data values. • Access control degrades when achieved through shared or service accounts • Evaluate use of such accounts carefully, and never use them frequently or by default.
7.2.7 Monitor User Authentication and Access Behavior • Monitoring authentication and access behavior is critical because: • It provides information about who is connecting and accessing information assets, which is a basic requirement for compliance auditing. • It alerts security administrators to unforeseen situations, compensating for oversights in data security planning, design, and implementation. • Monitoring helps detect unusual or suspicious transactions that may warrant further investigation and issue resolution. • Systems containing confidential information such as salary, financial data, etc. commonly implement active, real-time monitoring. “send notification to the data stewards”
7.2.7 Monitor User Authentication and Access Behavior • Passive monitoring tracks changes over time by taking snapshots of the current state of a system at regular intervals and comparing trends against a benchmark or defined set of criteria. • Automated monitoring does impose an overhead on the underlying systems. • Enforce monitoring at several layers or data touch points. Monitoring can be: • Application specific. • Implemented for certain users and / or role groups. • Implemented for certain privileges. • Used for data integrity validation. • Implemented for configuration and core meta-data validation. • Implemented across heterogeneous systems for checking dependencies.
7.2.8 Classify Information Confidentially • A simple confidentiality classification schema used to classify an enterprise’s data and information products. • Five confidentiality levels followed by the schema: • For General Audiences: available to everyone • Internal use only: information limited to employees or members. • Confidential: information should not be shared outside the organization. • Restricted Confidential: information limited to individuals performing certain roles with the ”need to know”. • Registered Confidential: information that anyone accessing should sign a legal agreement to access data. • Classify documents and reports based on the highest level of confidentiality for any information found within the document. Through labeling. • Correctly classifying and labeling the appropriate confidentiality level for each document. • Also, classify databases, relational tables, columns, and views. Information confidentiality classification is an important meta-data characteristic, guiding how users are granted access privileges. • Data Stewards are responsible for evaluating and determining the appropriate confidentiality level for data.
7.2.9 Audit Data Security • Auditing data security is a recurring control activity with responsibility to analyze, validate, counsel, and recommend policies, standards, and activities related to data security management. • Data Security auditors • should not have direct responsibility for the activities being audited • Provide management and the data governance council with objectives, unbiased assessments, and relational, practical recommendations. • Data security policy statements, standards documents, implementation guides, change requests, access monitoring logs, report outputs, and other records from the basis of auditing.
7.2.9 Audit Data Security • Auditing data security includes: • Analyzing data security policy and standards against best practices and needs. • Analyzing implementation Procedures and actual practices to ensure consistency with data security goals, polices, standards, guidelines, and desired outcomes. • Assessing whether existing standards and procedures are adequate and in alignment with business and technology requirements. • Verifying the organization is in compliance with regulatory requirements. • Reviewing the reliability and accuracy of data security audit data. • Evaluating escalation procedures and notification mechanisms in the event of data security breach. • Reviewing contracts, data sharing agreements, and data security obligations of outsourced and external vendors, ensuring they meet their obligations, and ensuring the organization meets its obligations for externally sourced data. • Reporting to senior management, data stewards, and other stakeholders on the ‘State of Data Security’ within the organization and the maturity of its practices. • Recommending data security design, operational, and compliance improvements. • Auditing data security is no substitute for effective management of data security. • Auditing is a supportive, repeatable process, which should occur regularly, efficiently, and consistently.
7.3 Data Security in an Outsourced World • The Option of Outsourcing in Organization is in order and may happened, Only “Liability” is not. • Outsourcing IT Operations Introduces additional data security challenges and responsibilities. “number of people sharing accountability for data access”. • Which lead to explicitly defined as “Contractual Obligations”. • Contracts must specify the responsibilities and expectations of each role. • Risk are escalated to include outsource vendor “external risk and internal risk”.
7.3 Data Security in an Outsourced World, continuo. • Transferring control, but not accountability, requires tighter risk management and control mechanisms. Such: • Service Level agreements. • Limited Liability Provisions in the outsourcing contract. • Right-to-audit clauses in the contract. • Clearly defined consequences to breaching contractual obligations. • Frequent data security reports from the service vendor. • Independent monitoring of vendor system activity. • More frequent and through data security auditing. • Constant communication with the service vendor. • In outsourced environment, ‘chain of custody’ Analysis should maintained related with “CRUD” Processes. • RACI “Responsible, Accountable, Consulted, and informed” matrices help clarify roles, duties and responsibilities of data security requirements. “can be apart of contractual agreements” • In outsourcing IT Operations, required appropriate compliance mechanisms.

Recommended

Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptDrBasemMohamedElomda
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
ISStateGovtProposal
ISStateGovtProposalISStateGovtProposal
ISStateGovtProposalDale White
 
Secuntialesse
SecuntialesseSecuntialesse
SecuntialesseAnne Starr
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008Denny Lee
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGSri Latha
 
Why We Require GDPR?
Why We Require GDPR?Why We Require GDPR?
Why We Require GDPR?Jatin Kochhar
 

Recommended

Lecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptLecture 2 - Security Requirments.ppt
Lecture 2 - Security Requirments.pptDrBasemMohamedElomda
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
ISStateGovtProposal
ISStateGovtProposalISStateGovtProposal
ISStateGovtProposalDale White
 
Secuntialesse
SecuntialesseSecuntialesse
SecuntialesseAnne Starr
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008Denny Lee
 
Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Toreon adding privacy by design in secure application development oss18 v20...
Toreon adding privacy by design in secure application development oss18 v20...Sebastien Deleersnyder
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGLOW LEVEL DESIGN INSPECTION SECURE CODING
LOW LEVEL DESIGN INSPECTION SECURE CODINGSri Latha
 
Why We Require GDPR?
Why We Require GDPR?Why We Require GDPR?
Why We Require GDPR?Jatin Kochhar
 
gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3Anne Starr
 
Info.ppt
Info.pptInfo.ppt
Info.pptMuhammadJunaid838607
 
Flash Friday: Data Quality & GDPR
Flash Friday: Data Quality & GDPRFlash Friday: Data Quality & GDPR
Flash Friday: Data Quality & GDPRPrecisely
 
Cybertopicsecurity_3
Cybertopicsecurity_3Cybertopicsecurity_3
Cybertopicsecurity_3Anne Starr
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.IGN MANTRA
 
Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)Andy Talbot
 
chapter2-220725121543-2788abac.pdf
chapter2-220725121543-2788abac.pdfchapter2-220725121543-2788abac.pdf
chapter2-220725121543-2788abac.pdfMahmoudSOLIMAN380726
 
Chapter 2: Data Management Overviews
Chapter 2: Data Management OverviewsChapter 2: Data Management Overviews
Chapter 2: Data Management OverviewsAhmed Alorage
 
Data Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianData Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianDoreen Christian
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data TeamsEthyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data TeamsCillian Kieran
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Systems, Inc.
 
Accelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i SystemsAccelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i SystemsPrecisely
 
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...Emtec Inc.
 
Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001PECB
 
I Series User Management
I Series User ManagementI Series User Management
I Series User ManagementSJeffrey23
 
Data Governance Maturity Levels
Data Governance Maturity LevelsData Governance Maturity Levels
Data Governance Maturity LevelsSowmya Kandregula
 
Global Data Privacy Regulation
Global Data Privacy RegulationGlobal Data Privacy Regulation
Global Data Privacy RegulationJatin Kochhar
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information SecurityJohnHPazEMCPMPITIL5G
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 
6 to 8 year roadmap.pdf
6 to 8 year roadmap.pdf6 to 8 year roadmap.pdf
6 to 8 year roadmap.pdfMahmoudSOLIMAN380726
 
chapter12-220725121546-610a1427.pdf
chapter12-220725121546-610a1427.pdfchapter12-220725121546-610a1427.pdf
chapter12-220725121546-610a1427.pdfMahmoudSOLIMAN380726
 

More Related Content

Similar to chapter7-220725121544-6a1c05a5.pdf

gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3Anne Starr
 
Flash Friday: Data Quality & GDPR
Flash Friday: Data Quality & GDPRFlash Friday: Data Quality & GDPR
Flash Friday: Data Quality & GDPRPrecisely
 
Cybertopicsecurity_3
Cybertopicsecurity_3Cybertopicsecurity_3
Cybertopicsecurity_3Anne Starr
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.IGN MANTRA
 
Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)Andy Talbot
 
chapter2-220725121543-2788abac.pdf
chapter2-220725121543-2788abac.pdfchapter2-220725121543-2788abac.pdf
chapter2-220725121543-2788abac.pdfMahmoudSOLIMAN380726
 
Chapter 2: Data Management Overviews
Chapter 2: Data Management OverviewsChapter 2: Data Management Overviews
Chapter 2: Data Management OverviewsAhmed Alorage
 
Data Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianData Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianDoreen Christian
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data TeamsEthyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data TeamsCillian Kieran
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Systems, Inc.
 
Accelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i SystemsAccelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i SystemsPrecisely
 
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...Emtec Inc.
 
Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001PECB
 
I Series User Management
I Series User ManagementI Series User Management
I Series User ManagementSJeffrey23
 
Data Governance Maturity Levels
Data Governance Maturity LevelsData Governance Maturity Levels
Data Governance Maturity LevelsSowmya Kandregula
 
Global Data Privacy Regulation
Global Data Privacy RegulationGlobal Data Privacy Regulation
Global Data Privacy RegulationJatin Kochhar
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information SecurityJohnHPazEMCPMPITIL5G
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 

Similar to chapter7-220725121544-6a1c05a5.pdf (20)

gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3gkknwqeq3232,sqSecurity essentials domain 3
gkknwqeq3232,sqSecurity essentials domain 3
 
Info.ppt
Info.pptInfo.ppt
Info.ppt
 
Flash Friday: Data Quality & GDPR
Flash Friday: Data Quality & GDPRFlash Friday: Data Quality & GDPR
Flash Friday: Data Quality & GDPR
 
Cybertopicsecurity_3
Cybertopicsecurity_3Cybertopicsecurity_3
Cybertopicsecurity_3
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
 
Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)Microsoft Cloud GDPR Compliance Options (SUGUK)
Microsoft Cloud GDPR Compliance Options (SUGUK)
 
chapter2-220725121543-2788abac.pdf
chapter2-220725121543-2788abac.pdfchapter2-220725121543-2788abac.pdf
chapter2-220725121543-2788abac.pdf
 
Chapter 2: Data Management Overviews
Chapter 2: Data Management OverviewsChapter 2: Data Management Overviews
Chapter 2: Data Management Overviews
 
Data Governance Overview - Doreen Christian
Data Governance Overview - Doreen ChristianData Governance Overview - Doreen Christian
Data Governance Overview - Doreen Christian
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data TeamsEthyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
 
Accelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i SystemsAccelerating Regulatory Compliance for IBM i Systems
Accelerating Regulatory Compliance for IBM i Systems
 
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
 
Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001Implementing Asset Management System with ISO 55001
Implementing Asset Management System with ISO 55001
 
I Series User Management
I Series User ManagementI Series User Management
I Series User Management
 
Data Governance Maturity Levels
Data Governance Maturity LevelsData Governance Maturity Levels
Data Governance Maturity Levels
 
Global Data Privacy Regulation
Global Data Privacy RegulationGlobal Data Privacy Regulation
Global Data Privacy Regulation
 
Control Standards for Information Security
Control Standards for Information SecurityControl Standards for Information Security
Control Standards for Information Security
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
 

More from MahmoudSOLIMAN380726

chapter12-220725121546-610a1427.pdf
chapter12-220725121546-610a1427.pdfchapter12-220725121546-610a1427.pdf
chapter12-220725121546-610a1427.pdfMahmoudSOLIMAN380726
 
chapter11-220725121546-671fc36c.pdf
chapter11-220725121546-671fc36c.pdfchapter11-220725121546-671fc36c.pdf
chapter11-220725121546-671fc36c.pdfMahmoudSOLIMAN380726
 
chapter10-220725121546-5c59bc1a.pdf
chapter10-220725121546-5c59bc1a.pdfchapter10-220725121546-5c59bc1a.pdf
chapter10-220725121546-5c59bc1a.pdfMahmoudSOLIMAN380726
 
chapter9-220725121547-5ed13e4d.pdf
chapter9-220725121547-5ed13e4d.pdfchapter9-220725121547-5ed13e4d.pdf
chapter9-220725121547-5ed13e4d.pdfMahmoudSOLIMAN380726
 
chapter8-220725121547-f85998bb.pdf
chapter8-220725121547-f85998bb.pdfchapter8-220725121547-f85998bb.pdf
chapter8-220725121547-f85998bb.pdfMahmoudSOLIMAN380726
 
chapter5-220725172250-dc425eb2.pdf
chapter5-220725172250-dc425eb2.pdfchapter5-220725172250-dc425eb2.pdf
chapter5-220725172250-dc425eb2.pdfMahmoudSOLIMAN380726
 
chapter3-220725142737-bf613658.pdf
chapter3-220725142737-bf613658.pdfchapter3-220725142737-bf613658.pdf
chapter3-220725142737-bf613658.pdfMahmoudSOLIMAN380726
 
chapter4-220725121544-5ef6271b.pdf
chapter4-220725121544-5ef6271b.pdfchapter4-220725121544-5ef6271b.pdf
chapter4-220725121544-5ef6271b.pdfMahmoudSOLIMAN380726
 
chapter1-220725121543-7c158b33.pdf
chapter1-220725121543-7c158b33.pdfchapter1-220725121543-7c158b33.pdf
chapter1-220725121543-7c158b33.pdfMahmoudSOLIMAN380726
 

More from MahmoudSOLIMAN380726 (11)

6 to 8 year roadmap.pdf
6 to 8 year roadmap.pdf6 to 8 year roadmap.pdf
6 to 8 year roadmap.pdf
 
chapter12-220725121546-610a1427.pdf
chapter12-220725121546-610a1427.pdfchapter12-220725121546-610a1427.pdf
chapter12-220725121546-610a1427.pdf
 
chapter11-220725121546-671fc36c.pdf
chapter11-220725121546-671fc36c.pdfchapter11-220725121546-671fc36c.pdf
chapter11-220725121546-671fc36c.pdf
 
chapter10-220725121546-5c59bc1a.pdf
chapter10-220725121546-5c59bc1a.pdfchapter10-220725121546-5c59bc1a.pdf
chapter10-220725121546-5c59bc1a.pdf
 
chapter9-220725121547-5ed13e4d.pdf
chapter9-220725121547-5ed13e4d.pdfchapter9-220725121547-5ed13e4d.pdf
chapter9-220725121547-5ed13e4d.pdf
 
chapter8-220725121547-f85998bb.pdf
chapter8-220725121547-f85998bb.pdfchapter8-220725121547-f85998bb.pdf
chapter8-220725121547-f85998bb.pdf
 
chapter5-220725172250-dc425eb2.pdf
chapter5-220725172250-dc425eb2.pdfchapter5-220725172250-dc425eb2.pdf
chapter5-220725172250-dc425eb2.pdf
 
chapter3-220725142737-bf613658.pdf
chapter3-220725142737-bf613658.pdfchapter3-220725142737-bf613658.pdf
chapter3-220725142737-bf613658.pdf
 
chapter4-220725121544-5ef6271b.pdf
chapter4-220725121544-5ef6271b.pdfchapter4-220725121544-5ef6271b.pdf
chapter4-220725121544-5ef6271b.pdf
 
chapter1-220725121543-7c158b33.pdf
chapter1-220725121543-7c158b33.pdfchapter1-220725121543-7c158b33.pdf
chapter1-220725121543-7c158b33.pdf
 
Data Governance Process.pdf
Data Governance Process.pdfData Governance Process.pdf
Data Governance Process.pdf
 

Recently uploaded

VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024hassan khalil
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineeringmalavadedarshan25
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxJoĂŁo Esperancinha
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Study on Air-Water & Water-Water Heat Exchange in a Finned ďťżTube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned ďťżTube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned ďťżTube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned ďťżTube ExchangerAnamika Sarkar
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...srsj9000
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidNikhilNagaraju
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLDeelipZope
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVRajaP95
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 

Recently uploaded (20)

VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024Architect Hassan Khalil Portfolio for 2024
Architect Hassan Khalil Portfolio for 2024
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
Internship report on mechanical engineering
Internship report on mechanical engineeringInternship report on mechanical engineering
Internship report on mechanical engineering
 
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptxDecoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
Decoding Kotlin - Your guide to solving the mysterious in Kotlin.pptx
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Study on Air-Water & Water-Water Heat Exchange in a Finned ďťżTube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned ďťżTube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned ďťżTube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned ďťżTube Exchanger
 
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
Gfe Mayur Vihar Call Girls Service WhatsApp -> 9999965857 Available 24x7 ^ De...
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
main PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfidmain PPT.pptx of girls hostel security using rfid
main PPT.pptx of girls hostel security using rfid
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCL
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IVHARMONY IN THE NATURE AND EXISTENCE - Unit-IV
HARMONY IN THE NATURE AND EXISTENCE - Unit-IV
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 

chapter7-220725121544-6a1c05a5.pdf

  • 2. Objectives: • 7.1 Introduction • 7.2 Concepts and Activities • 7.2.1 Understand Data Security Needs and Regulatory Requirements • 7.2.1.1 Business Requirements • 7.2.1.2 Regulatory Requirements • 7.2.2 Define Data Security Policy • 7.2.3 Define Data Security Standards • 7.2.4 Define Data Security Controls and Procedures • 7.2.5 Manage Users, Passwords, and Group Membership • 7.2.5.1 Password Standards and Procedures • 7.2.6 Manage Data Access Views and Permissions • 7.2.7 Monitor User Authentication and Access Behavior • 7.2.8 Classify Information Confidentially • 7.2.9 Audit Data Security • 7.3 Data Security in Outsourced World
  • 3. 7 Data Security Management • Data Security is the fifth Data Management Function in the Data Management framework in Chapter 1. • Fourth data management function that interacts with and influenced by Data Governance function. • In this Chapter, we will defined the Data Security Management Function and Explains the Concepts and Activities involved in Data Security Management.
  • 4. 7.1 Introduction: • Data Security Management is the Planning, Development, and Execution of Security Policies and Procedures to Provide Proper Authentication, Authorization, Access, and Auditing of Data and Information assists. • Effective Data Security Policies and Procedures ensure that the right people can use and update data in the right way and all inappropriate access and update is restricted. • Understanding and complying with privacy and confidentiality interests and needs of all stakeholders is in the best interest of any organization. • Establishes judicious governance mechanisms that are easy enough to abide by a daily operational basis by all stakeholders.
  • 5.
  • 6. 7.2 Concepts and Activities • The Goal is to protect information assets in alignment with privacy and confidentiality regulations and business requirements. • The sources of Data Security management requirement come from: • Stakeholder concerns: including clients, patients, students…etc. • Government Regulations: protect stakeholder interests. Some of them restrict access to information, while other ensure openness, transparency, and accountability. • Proprietary Business Concerns: ensuring competitive advantage provided by intellectual property and intimate knowledge of customer needs. • Legitimate access Needs: Data security implementers must understand legitimate need for data access.
  • 7. 7.2 Concepts and Activities • Data Security requirements and procedures to meet these requirements can be categorized into four basic groups: • Authentication: Validate users are who they say they are. • Authorization: Identify the right individuals and grant them the right privileges to specific, appropriate views of data. • Access: Enable these individuals and their privileges in a timely manner. • Audit: Review Security actions and user activity to ensure compliance with regulations and conformance with policy and standards.
  • 8. •7.2.1 Understand Data Security Needs and Regulatory Requirements • Important to distinguish between rules and procedures, and the rules imposed by application software products. • Application systems serve as vehicles to enforce business rules and procedures. • It is common for these systems to have their own unique set of data security requirements over and above those required for business processes. • These unique requirements are becoming more common with packaged and off- the-shelf systems. • Therefore, this activity divide into two sub-activities: • 7.2.1.1 Business Requirements • 7.2.1.2 Regulatory Requirements
  • 9. •7.2.1.1 Business Requirements • Begin with a through understanding of business requirements. • Business mission and strategy percolates through data strategy must be the guiding factor in planning data security policy. • Address short-term and long-term goals to achieve a balanced and effective data security function. • There is a degree of data security defined through the business needs of an enterprise depending on the size of enterprises and the choice to have extended data security. • The security is touch points means every business rules and processes have its own security requirements. Therefore, tools such as “Data-to-process” and “Data –to-role” relationship matrices are useful tools to map these needs. • Identify detailed application security requirements in the analysis phase of every systems development project.
  • 10. •7.2.1.2 Regulatory Requirements • Organizations required to comply with growing set of regulations. • The ethical and legal issues facing organizations in the information age are leading governments to establish new laws and standards. • Requirements of several newer regulations, like: • United States Sarbanes-Oxley Act of 2002, Canadian Bill 198 • CLEBRP Act of Australia • Have all imposed strict security controls on information management. • The European Union’s Basel II Accord • imposes information controls for all financial institutions doing business in related countries. • In Saudi Arabia, NDMO Related to SADIA • imposes information controls for all government and non-government sectors related to Information.
  • 11. •7.2.2 Define Data Security Policy • Data Security Policy is a collaborative effort from IT security administrators, Data Stewards, internal and external audit teams, and legal department. Reviewed and approved from Data Governance council. • IT security policy and Data Security Policy is part of combined Security Policy. However, Should separate them out. • Data Security Policies are more granular in nature and take a very data-centric approach. • Defining directory structures and an identity management framework can be IT Security Policy component, • Whereas defining the individual application, Database roles, User groups, and password standards can be part of the Data Security Policy.
  • 12. 7.2.3 Define Data Security Standards • Organizations should design their own Security controls, demonstrate them to meet the requirements of the law and regulations and document them. • IT strategy and standards can also influence: • Tools used to manage data security • Data encryption standards and mechanisms. • Access guidelines to external vendors and contractors. • Data transmission protocols over the internet. • Documentation requirements. • Remote access standards. • Security breach incident reporting procedures.
  • 13. 7.2.3 Define Data Security Standards • Physical Security standards, as part of enterprise IT policies: • Access to data using mobile devices. • Storage of data on portable devices such as laptops, DVDs, or USB drives. • Disposal of these devices in compliance with records management policies. • The focus should be on quality and consistency, not creating a huge body of guidelines. • Should be in a format that is easily accessible by suppliers, consumers, and stakeholders. • Should be satisfying the four A’s “authentication, authorization, access and audit”
  • 14. 7.2.4 Define Data Security Controls and Procedures • Implementation and administration of data security policy is primarily the responsibility of security administrators. DB Security is often one responsibility of “DBAs”. • Implementing a proper controls to meet the objectives of pertinent laws. • Implementing a process to validate assigned permissions against change management system used for tracking all user permission requests. • The control may also require a workflow approval process or signed paper from to record and document each request.
  • 15. 7.2.5 Manage Users, Passwords, and Group Membership • Access and Update can be granted to individual user accounts. However, may results of redundant effort. • Role groups enable security administrators to define privileges by role, and to grant these privileges to users by enrolling them in. • Try to assign each user to only one role group. • Construct group definitions at a workgroup and organize roles in hierarchy, “child roles restrict the privileges of parent roles”. (roles management) Figure 7.2 • Security administrators create, modify and delete user accounts and groups. • Changes made to the group taxonomy and membership should require some level of approval, and tracking using a change management system. • Data consistency in user and group management is a challenge in a heterogeneous environment. • To avoid data integrity issues, manage user identity data and role-group membership data centrally.
  • 16.
  • 17. 7.2.5.1 Password Standards and Procedures • Passwords are the first line of defense in protecting access to data. • Typical password complexity requirements require a password to: • Contain at least 8 characters. • Contain an uppercase letter and a numeral. • Not be the same as the username • Not be the same as the previous 5 passwords used. • Not contain Complete dictionary words in any language. • Not be incremental (password1, Password2, etc). • Not have two characters repeated sequentially. • Avoid using adjacent characters from the keyboard. • If the system supports a space in passwords, then a ‘pass phrase’ can be used. • The capability ‘single-sign-on’ should be implemented. • Users to change their passwords every 45 to 60 days is required. • Security administrators and help desk analysts assist in troubleshooting and resolving password related issues.
  • 18. 7.2.6 Manage Data Access Views and Permissions • Valid and appropriate access to data. Control sensitive data access by granting permissions (opt-in). Without permission, a user can do nothing. • Control data access at an individual or group level: • Smaller organizations may find it acceptable to manage data access. • Larger organizations will benefit greatly from role-based access control, granting permissions to role groups. • RDB views provide another important mechanism for data security, enabling restrictions to data in tables to certain rows based on data values. • Access control degrades when achieved through shared or service accounts • Evaluate use of such accounts carefully, and never use them frequently or by default.
  • 19. 7.2.7 Monitor User Authentication and Access Behavior • Monitoring authentication and access behavior is critical because: • It provides information about who is connecting and accessing information assets, which is a basic requirement for compliance auditing. • It alerts security administrators to unforeseen situations, compensating for oversights in data security planning, design, and implementation. • Monitoring helps detect unusual or suspicious transactions that may warrant further investigation and issue resolution. • Systems containing confidential information such as salary, financial data, etc. commonly implement active, real-time monitoring. “send notification to the data stewards”
  • 20. 7.2.7 Monitor User Authentication and Access Behavior • Passive monitoring tracks changes over time by taking snapshots of the current state of a system at regular intervals and comparing trends against a benchmark or defined set of criteria. • Automated monitoring does impose an overhead on the underlying systems. • Enforce monitoring at several layers or data touch points. Monitoring can be: • Application specific. • Implemented for certain users and / or role groups. • Implemented for certain privileges. • Used for data integrity validation. • Implemented for configuration and core meta-data validation. • Implemented across heterogeneous systems for checking dependencies.
  • 21. 7.2.8 Classify Information Confidentially • A simple confidentiality classification schema used to classify an enterprise’s data and information products. • Five confidentiality levels followed by the schema: • For General Audiences: available to everyone • Internal use only: information limited to employees or members. • Confidential: information should not be shared outside the organization. • Restricted Confidential: information limited to individuals performing certain roles with the ”need to know”. • Registered Confidential: information that anyone accessing should sign a legal agreement to access data. • Classify documents and reports based on the highest level of confidentiality for any information found within the document. Through labeling. • Correctly classifying and labeling the appropriate confidentiality level for each document. • Also, classify databases, relational tables, columns, and views. Information confidentiality classification is an important meta-data characteristic, guiding how users are granted access privileges. • Data Stewards are responsible for evaluating and determining the appropriate confidentiality level for data.
  • 22. 7.2.9 Audit Data Security • Auditing data security is a recurring control activity with responsibility to analyze, validate, counsel, and recommend policies, standards, and activities related to data security management. • Data Security auditors • should not have direct responsibility for the activities being audited • Provide management and the data governance council with objectives, unbiased assessments, and relational, practical recommendations. • Data security policy statements, standards documents, implementation guides, change requests, access monitoring logs, report outputs, and other records from the basis of auditing.
  • 23. 7.2.9 Audit Data Security • Auditing data security includes: • Analyzing data security policy and standards against best practices and needs. • Analyzing implementation Procedures and actual practices to ensure consistency with data security goals, polices, standards, guidelines, and desired outcomes. • Assessing whether existing standards and procedures are adequate and in alignment with business and technology requirements. • Verifying the organization is in compliance with regulatory requirements. • Reviewing the reliability and accuracy of data security audit data. • Evaluating escalation procedures and notification mechanisms in the event of data security breach. • Reviewing contracts, data sharing agreements, and data security obligations of outsourced and external vendors, ensuring they meet their obligations, and ensuring the organization meets its obligations for externally sourced data. • Reporting to senior management, data stewards, and other stakeholders on the ‘State of Data Security’ within the organization and the maturity of its practices. • Recommending data security design, operational, and compliance improvements. • Auditing data security is no substitute for effective management of data security. • Auditing is a supportive, repeatable process, which should occur regularly, efficiently, and consistently.
  • 24. 7.3 Data Security in an Outsourced World • The Option of Outsourcing in Organization is in order and may happened, Only “Liability” is not. • Outsourcing IT Operations Introduces additional data security challenges and responsibilities. “number of people sharing accountability for data access”. • Which lead to explicitly defined as “Contractual Obligations”. • Contracts must specify the responsibilities and expectations of each role. • Risk are escalated to include outsource vendor “external risk and internal risk”.
  • 25. 7.3 Data Security in an Outsourced World, continuo. • Transferring control, but not accountability, requires tighter risk management and control mechanisms. Such: • Service Level agreements. • Limited Liability Provisions in the outsourcing contract. • Right-to-audit clauses in the contract. • Clearly defined consequences to breaching contractual obligations. • Frequent data security reports from the service vendor. • Independent monitoring of vendor system activity. • More frequent and through data security auditing. • Constant communication with the service vendor. • In outsourced environment, ‘chain of custody’ Analysis should maintained related with “CRUD” Processes. • RACI “Responsible, Accountable, Consulted, and informed” matrices help clarify roles, duties and responsibilities of data security requirements. “can be apart of contractual agreements” • In outsourcing IT Operations, required appropriate compliance mechanisms.