2. Objectives:
⢠7.1 Introduction
⢠7.2 Concepts and Activities
⢠7.2.1 Understand Data Security Needs and Regulatory Requirements
⢠7.2.1.1 Business Requirements
⢠7.2.1.2 Regulatory Requirements
⢠7.2.2 Define Data Security Policy
⢠7.2.3 Define Data Security Standards
⢠7.2.4 Define Data Security Controls and Procedures
⢠7.2.5 Manage Users, Passwords, and Group Membership
⢠7.2.5.1 Password Standards and Procedures
⢠7.2.6 Manage Data Access Views and Permissions
⢠7.2.7 Monitor User Authentication and Access Behavior
⢠7.2.8 Classify Information Confidentially
⢠7.2.9 Audit Data Security
⢠7.3 Data Security in Outsourced World
3. 7 Data Security Management
⢠Data Security is the fifth Data Management Function in
the Data Management framework in Chapter 1.
⢠Fourth data management function that interacts with
and influenced by Data Governance function.
⢠In this Chapter, we will defined the Data Security
Management Function and Explains the Concepts and
Activities involved in Data Security Management.
4. 7.1 Introduction:
⢠Data Security Management is the Planning, Development, and
Execution of Security Policies and Procedures to Provide Proper
Authentication, Authorization, Access, and Auditing of Data and
Information assists.
⢠Effective Data Security Policies and Procedures ensure that the
right people can use and update data in the right way and all
inappropriate access and update is restricted.
⢠Understanding and complying with privacy and confidentiality
interests and needs of all stakeholders is in the best interest of any
organization.
⢠Establishes judicious governance mechanisms that are easy
enough to abide by a daily operational basis by all stakeholders.
5.
6. 7.2 Concepts and Activities
⢠The Goal is to protect information assets in alignment with privacy
and confidentiality regulations and business requirements.
⢠The sources of Data Security management requirement come from:
⢠Stakeholder concerns: including clients, patients, studentsâŚetc.
⢠Government Regulations: protect stakeholder interests. Some
of them restrict access to information, while other ensure
openness, transparency, and accountability.
⢠Proprietary Business Concerns: ensuring competitive
advantage provided by intellectual property and intimate
knowledge of customer needs.
⢠Legitimate access Needs: Data security implementers must
understand legitimate need for data access.
7. 7.2 Concepts and Activities
⢠Data Security requirements and procedures to meet these
requirements can be categorized into four basic groups:
⢠Authentication: Validate users are who they say they are.
⢠Authorization: Identify the right individuals and grant
them the right privileges to specific, appropriate views of
data.
⢠Access: Enable these individuals and their privileges in a
timely manner.
⢠Audit: Review Security actions and user activity to ensure
compliance with regulations and conformance with policy
and standards.
8. â˘7.2.1 Understand Data Security Needs and
Regulatory Requirements
⢠Important to distinguish between rules and procedures, and the rules imposed
by application software products.
⢠Application systems serve as vehicles to enforce business rules and procedures.
⢠It is common for these systems to have their own unique set of data security
requirements over and above those required for business processes.
⢠These unique requirements are becoming more common with packaged and off-
the-shelf systems.
⢠Therefore, this activity divide into two sub-activities:
⢠7.2.1.1 Business Requirements
⢠7.2.1.2 Regulatory Requirements
9. â˘7.2.1.1 Business Requirements
⢠Begin with a through understanding of business requirements.
⢠Business mission and strategy percolates through data strategy must be the
guiding factor in planning data security policy.
⢠Address short-term and long-term goals to achieve a balanced and effective data
security function.
⢠There is a degree of data security defined through the business needs of an
enterprise depending on the size of enterprises and the choice to have extended
data security.
⢠The security is touch points means every business rules and processes have its
own security requirements. Therefore, tools such as âData-to-processâ and
âData âto-roleâ relationship matrices are useful tools to map these needs.
⢠Identify detailed application security requirements in the analysis phase of
every systems development project.
10. â˘7.2.1.2 Regulatory Requirements
⢠Organizations required to comply with growing set of regulations.
⢠The ethical and legal issues facing organizations in the information age are
leading governments to establish new laws and standards.
⢠Requirements of several newer regulations, like:
⢠United States Sarbanes-Oxley Act of 2002, Canadian Bill 198
⢠CLEBRP Act of Australia
⢠Have all imposed strict security controls on information management.
⢠The European Unionâs Basel II Accord
⢠imposes information controls for all financial institutions doing business in
related countries.
⢠In Saudi Arabia, NDMO Related to SADIA
⢠imposes information controls for all government and non-government sectors
related to Information.
11. â˘7.2.2 Define Data Security Policy
⢠Data Security Policy is a collaborative effort from IT security
administrators, Data Stewards, internal and external audit teams,
and legal department. Reviewed and approved from Data
Governance council.
⢠IT security policy and Data Security Policy is part of combined
Security Policy. However, Should separate them out.
⢠Data Security Policies are more granular in nature and take a very
data-centric approach.
⢠Defining directory structures and an identity management
framework can be IT Security Policy component,
⢠Whereas defining the individual application, Database roles, User
groups, and password standards can be part of the Data Security
Policy.
12. 7.2.3 Define Data Security Standards
⢠Organizations should design their own Security controls,
demonstrate them to meet the requirements of the law and
regulations and document them.
⢠IT strategy and standards can also influence:
⢠Tools used to manage data security
⢠Data encryption standards and mechanisms.
⢠Access guidelines to external vendors and contractors.
⢠Data transmission protocols over the internet.
⢠Documentation requirements.
⢠Remote access standards.
⢠Security breach incident reporting procedures.
13. 7.2.3 Define Data Security Standards
⢠Physical Security standards, as part of enterprise IT policies:
⢠Access to data using mobile devices.
⢠Storage of data on portable devices such as laptops, DVDs, or USB drives.
⢠Disposal of these devices in compliance with records management
policies.
⢠The focus should be on quality and consistency, not creating a huge body of
guidelines.
⢠Should be in a format that is easily accessible by suppliers, consumers, and
stakeholders.
⢠Should be satisfying the four Aâs âauthentication, authorization, access and
auditâ
14. 7.2.4 Define Data Security Controls and
Procedures
⢠Implementation and administration of data security policy is
primarily the responsibility of security administrators. DB
Security is often one responsibility of âDBAsâ.
⢠Implementing a proper controls to meet the objectives of
pertinent laws.
⢠Implementing a process to validate assigned permissions
against change management system used for tracking all user
permission requests.
⢠The control may also require a workflow approval process or
signed paper from to record and document each request.
15. 7.2.5 Manage Users, Passwords, and Group Membership
⢠Access and Update can be granted to individual user accounts. However, may
results of redundant effort.
⢠Role groups enable security administrators to define privileges by role, and to
grant these privileges to users by enrolling them in.
⢠Try to assign each user to only one role group.
⢠Construct group definitions at a workgroup and organize roles in hierarchy, âchild
roles restrict the privileges of parent rolesâ. (roles management) Figure 7.2
⢠Security administrators create, modify and delete user accounts and groups.
⢠Changes made to the group taxonomy and membership should require some level
of approval, and tracking using a change management system.
⢠Data consistency in user and group management is a challenge in a
heterogeneous environment.
⢠To avoid data integrity issues, manage user identity data and role-group
membership data centrally.
16.
17. 7.2.5.1 Password Standards and Procedures
⢠Passwords are the first line of defense in protecting access to data.
⢠Typical password complexity requirements require a password to:
⢠Contain at least 8 characters.
⢠Contain an uppercase letter and a numeral.
⢠Not be the same as the username
⢠Not be the same as the previous 5 passwords used.
⢠Not contain Complete dictionary words in any language.
⢠Not be incremental (password1, Password2, etc).
⢠Not have two characters repeated sequentially.
⢠Avoid using adjacent characters from the keyboard.
⢠If the system supports a space in passwords, then a âpass phraseâ can be
used.
⢠The capability âsingle-sign-onâ should be implemented.
⢠Users to change their passwords every 45 to 60 days is required.
⢠Security administrators and help desk analysts assist in troubleshooting and
resolving password related issues.
18. 7.2.6 Manage Data Access Views and Permissions
⢠Valid and appropriate access to data. Control sensitive data access by granting
permissions (opt-in). Without permission, a user can do nothing.
⢠Control data access at an individual or group level:
⢠Smaller organizations may find it acceptable to manage data access.
⢠Larger organizations will benefit greatly from role-based access control,
granting permissions to role groups.
⢠RDB views provide another important mechanism for data security, enabling
restrictions to data in tables to certain rows based on data values.
⢠Access control degrades when achieved through shared or service accounts
⢠Evaluate use of such accounts carefully, and never use them frequently or by
default.
19. 7.2.7 Monitor User Authentication and Access Behavior
⢠Monitoring authentication and access behavior is critical because:
⢠It provides information about who is connecting and accessing information
assets, which is a basic requirement for compliance auditing.
⢠It alerts security administrators to unforeseen situations, compensating for
oversights in data security planning, design, and implementation.
⢠Monitoring helps detect unusual or suspicious transactions that may warrant
further investigation and issue resolution.
⢠Systems containing confidential information such as salary, financial data, etc.
commonly implement active, real-time monitoring. âsend notification to the
data stewardsâ
20. 7.2.7 Monitor User Authentication and Access Behavior
⢠Passive monitoring tracks changes over time by taking snapshots of the
current state of a system at regular intervals and comparing trends against a
benchmark or defined set of criteria.
⢠Automated monitoring does impose an overhead on the underlying systems.
⢠Enforce monitoring at several layers or data touch points. Monitoring can be:
⢠Application specific.
⢠Implemented for certain users and / or role groups.
⢠Implemented for certain privileges.
⢠Used for data integrity validation.
⢠Implemented for configuration and core meta-data validation.
⢠Implemented across heterogeneous systems for checking dependencies.
21. 7.2.8 Classify Information Confidentially
⢠A simple confidentiality classification schema used to classify an enterpriseâs
data and information products.
⢠Five confidentiality levels followed by the schema:
⢠For General Audiences: available to everyone
⢠Internal use only: information limited to employees or members.
⢠Confidential: information should not be shared outside the organization.
⢠Restricted Confidential: information limited to individuals performing certain roles with the
âneed to knowâ.
⢠Registered Confidential: information that anyone accessing should sign a legal agreement to
access data.
⢠Classify documents and reports based on the highest level of confidentiality for
any information found within the document. Through labeling.
⢠Correctly classifying and labeling the appropriate confidentiality level for each
document.
⢠Also, classify databases, relational tables, columns, and views. Information
confidentiality classification is an important meta-data characteristic, guiding
how users are granted access privileges.
⢠Data Stewards are responsible for evaluating and determining the appropriate
confidentiality level for data.
22. 7.2.9 Audit Data Security
⢠Auditing data security is a recurring control activity with responsibility to
analyze, validate, counsel, and recommend policies, standards, and
activities related to data security management.
⢠Data Security auditors
⢠should not have direct responsibility for the activities being audited
⢠Provide management and the data governance council with objectives, unbiased
assessments, and relational, practical recommendations.
⢠Data security policy statements, standards documents, implementation
guides, change requests, access monitoring logs, report outputs, and other
records from the basis of auditing.
23. 7.2.9 Audit Data Security
⢠Auditing data security includes:
⢠Analyzing data security policy and standards against best practices and needs.
⢠Analyzing implementation Procedures and actual practices to ensure consistency with data
security goals, polices, standards, guidelines, and desired outcomes.
⢠Assessing whether existing standards and procedures are adequate and in alignment with
business and technology requirements.
⢠Verifying the organization is in compliance with regulatory requirements.
⢠Reviewing the reliability and accuracy of data security audit data.
⢠Evaluating escalation procedures and notification mechanisms in the event of data security
breach.
⢠Reviewing contracts, data sharing agreements, and data security obligations of outsourced and
external vendors, ensuring they meet their obligations, and ensuring the organization meets its
obligations for externally sourced data.
⢠Reporting to senior management, data stewards, and other stakeholders on the âState of Data
Securityâ within the organization and the maturity of its practices.
⢠Recommending data security design, operational, and compliance improvements.
⢠Auditing data security is no substitute for effective management of data security.
⢠Auditing is a supportive, repeatable process, which should occur regularly,
efficiently, and consistently.
24. 7.3 Data Security in an Outsourced World
⢠The Option of Outsourcing in Organization is in order and may
happened, Only âLiabilityâ is not.
⢠Outsourcing IT Operations Introduces additional data security
challenges and responsibilities. ânumber of people sharing
accountability for data accessâ.
⢠Which lead to explicitly defined as âContractual Obligationsâ.
⢠Contracts must specify the responsibilities and expectations of
each role.
⢠Risk are escalated to include outsource vendor âexternal risk and
internal riskâ.
25. 7.3 Data Security in an Outsourced World,
continuo.
⢠Transferring control, but not accountability, requires tighter risk
management and control mechanisms. Such:
⢠Service Level agreements.
⢠Limited Liability Provisions in the outsourcing contract.
⢠Right-to-audit clauses in the contract.
⢠Clearly defined consequences to breaching contractual obligations.
⢠Frequent data security reports from the service vendor.
⢠Independent monitoring of vendor system activity.
⢠More frequent and through data security auditing.
⢠Constant communication with the service vendor.
⢠In outsourced environment, âchain of custodyâ Analysis should maintained
related with âCRUDâ Processes.
⢠RACI âResponsible, Accountable, Consulted, and informedâ matrices help
clarify roles, duties and responsibilities of data security requirements.
âcan be apart of contractual agreementsâ
⢠In outsourcing IT Operations, required appropriate compliance
mechanisms.