This document discusses data security management. It outlines key concepts and activities including understanding business and regulatory requirements, defining security policies, standards, controls and procedures, managing users, passwords and permissions. The goal is to protect information through proper authentication, authorization, access and auditing in alignment with privacy needs and regulations.

1. Data Security Management
Ahmed Alorage

2. Objectives:
• 7.1 Introduction
• 7.2 Concepts and Activities
• 7.2.1 Understand Data Security Needs and Regulatory Requirements
• 7.2.1.1 Business Requirements
• 7.2.1.2 Regulatory Requirements
• 7.2.2 Define Data Security Policy
• 7.2.3 Define Data Security Standards
• 7.2.4 Define Data Security Controls and Procedures
• 7.2.5 Manage Users, Passwords, and Group Membership
• 7.2.5.1 Password Standards and Procedures
• 7.2.6 Manage Data Access Views and Permissions
• 7.2.7 Monitor User Authentication and Access Behavior
• 7.2.8 Classify Information Confidentially
• 7.2.9 Audit Data Security
• 7.3 Data Security in Outsourced World

3. 7 Data Security Management
• Data Security is the fifth Data Management Function in
the Data Management framework in Chapter 1.
• Fourth data management function that interacts with
and influenced by Data Governance function.
• In this Chapter, we will defined the Data Security
Management Function and Explains the Concepts and
Activities involved in Data Security Management.

4. 7.1 Introduction:
• Data Security Management is the Planning, Development, and
Execution of Security Policies and Procedures to Provide Proper
Authentication, Authorization, Access, and Auditing of Data and
Information assists.
• Effective Data Security Policies and Procedures ensure that the
right people can use and update data in the right way and all
inappropriate access and update is restricted.
• Understanding and complying with privacy and confidentiality
interests and needs of all stakeholders is in the best interest of any
organization.
• Establishes judicious governance mechanisms that are easy
enough to abide by a daily operational basis by all stakeholders.

6. 7.2 Concepts and Activities
• The Goal is to protect information assets in alignment with privacy
and confidentiality regulations and business requirements.
• The sources of Data Security management requirement come from:
• Stakeholder concerns: including clients, patients, students…etc.
• Government Regulations: protect stakeholder interests. Some
of them restrict access to information, while other ensure
openness, transparency, and accountability.
• Proprietary Business Concerns: ensuring competitive
advantage provided by intellectual property and intimate
knowledge of customer needs.
• Legitimate access Needs: Data security implementers must
understand legitimate need for data access.

7. 7.2 Concepts and Activities
• Data Security requirements and procedures to meet these
requirements can be categorized into four basic groups:
• Authentication: Validate users are who they say they are.
• Authorization: Identify the right individuals and grant
them the right privileges to specific, appropriate views of
data.
• Access: Enable these individuals and their privileges in a
timely manner.
• Audit: Review Security actions and user activity to ensure
compliance with regulations and conformance with policy
and standards.

8. •7.2.1 Understand Data Security Needs and
Regulatory Requirements
• Important to distinguish between rules and procedures, and the rules imposed
by application software products.
• Application systems serve as vehicles to enforce business rules and procedures.
• It is common for these systems to have their own unique set of data security
requirements over and above those required for business processes.
• These unique requirements are becoming more common with packaged and off-
the-shelf systems.
• Therefore, this activity divide into two sub-activities:
• 7.2.1.1 Business Requirements
• 7.2.1.2 Regulatory Requirements

9. •7.2.1.1 Business Requirements
• Begin with a through understanding of business requirements.
• Business mission and strategy percolates through data strategy must be the
guiding factor in planning data security policy.
• Address short-term and long-term goals to achieve a balanced and effective data
security function.
• There is a degree of data security defined through the business needs of an
enterprise depending on the size of enterprises and the choice to have extended
data security.
• The security is touch points means every business rules and processes have its
own security requirements. Therefore, tools such as “Data-to-process” and
“Data –to-role” relationship matrices are useful tools to map these needs.
• Identify detailed application security requirements in the analysis phase of
every systems development project.

10. •7.2.1.2 Regulatory Requirements
• Organizations required to comply with growing set of regulations.
• The ethical and legal issues facing organizations in the information age are
leading governments to establish new laws and standards.
• Requirements of several newer regulations, like:
• United States Sarbanes-Oxley Act of 2002, Canadian Bill 198
• CLEBRP Act of Australia
• Have all imposed strict security controls on information management.
• The European Union’s Basel II Accord
• imposes information controls for all financial institutions doing business in
related countries.
• In Saudi Arabia, NDMO Related to SADIA
• imposes information controls for all government and non-government sectors
related to Information.

11. •7.2.2 Define Data Security Policy
• Data Security Policy is a collaborative effort from IT security
administrators, Data Stewards, internal and external audit teams,
and legal department. Reviewed and approved from Data
Governance council.
• IT security policy and Data Security Policy is part of combined
Security Policy. However, Should separate them out.
• Data Security Policies are more granular in nature and take a very
data-centric approach.
• Defining directory structures and an identity management
framework can be IT Security Policy component,
• Whereas defining the individual application, Database roles, User
groups, and password standards can be part of the Data Security
Policy.

12. 7.2.3 Define Data Security Standards
• Organizations should design their own Security controls,
demonstrate them to meet the requirements of the law and
regulations and document them.
• IT strategy and standards can also influence:
• Tools used to manage data security
• Data encryption standards and mechanisms.
• Access guidelines to external vendors and contractors.
• Data transmission protocols over the internet.
• Documentation requirements.
• Remote access standards.
• Security breach incident reporting procedures.

13. 7.2.3 Define Data Security Standards
• Physical Security standards, as part of enterprise IT policies:
• Access to data using mobile devices.
• Storage of data on portable devices such as laptops, DVDs, or USB drives.
• Disposal of these devices in compliance with records management
policies.
• The focus should be on quality and consistency, not creating a huge body of
guidelines.
• Should be in a format that is easily accessible by suppliers, consumers, and
stakeholders.
• Should be satisfying the four A’s “authentication, authorization, access and
audit”

14. 7.2.4 Define Data Security Controls and
Procedures
• Implementation and administration of data security policy is
primarily the responsibility of security administrators. DB
Security is often one responsibility of “DBAs”.
• Implementing a proper controls to meet the objectives of
pertinent laws.
• Implementing a process to validate assigned permissions
against change management system used for tracking all user
permission requests.
• The control may also require a workflow approval process or
signed paper from to record and document each request.

15. 7.2.5 Manage Users, Passwords, and Group Membership
• Access and Update can be granted to individual user accounts. However, may
results of redundant effort.
• Role groups enable security administrators to define privileges by role, and to
grant these privileges to users by enrolling them in.
• Try to assign each user to only one role group.
• Construct group definitions at a workgroup and organize roles in hierarchy, “child
roles restrict the privileges of parent roles”. (roles management) Figure 7.2
• Security administrators create, modify and delete user accounts and groups.
• Changes made to the group taxonomy and membership should require some level
of approval, and tracking using a change management system.
• Data consistency in user and group management is a challenge in a
heterogeneous environment.
• To avoid data integrity issues, manage user identity data and role-group
membership data centrally.

17. 7.2.5.1 Password Standards and Procedures
• Passwords are the first line of defense in protecting access to data.
• Typical password complexity requirements require a password to:
• Contain at least 8 characters.
• Contain an uppercase letter and a numeral.
• Not be the same as the username
• Not be the same as the previous 5 passwords used.
• Not contain Complete dictionary words in any language.
• Not be incremental (password1, Password2, etc).
• Not have two characters repeated sequentially.
• Avoid using adjacent characters from the keyboard.
• If the system supports a space in passwords, then a ‘pass phrase’ can be
used.
• The capability ‘single-sign-on’ should be implemented.
• Users to change their passwords every 45 to 60 days is required.
• Security administrators and help desk analysts assist in troubleshooting and
resolving password related issues.

18. 7.2.6 Manage Data Access Views and Permissions
• Valid and appropriate access to data. Control sensitive data access by granting
permissions (opt-in). Without permission, a user can do nothing.
• Control data access at an individual or group level:
• Smaller organizations may find it acceptable to manage data access.
• Larger organizations will benefit greatly from role-based access control,
granting permissions to role groups.
• RDB views provide another important mechanism for data security, enabling
restrictions to data in tables to certain rows based on data values.
• Access control degrades when achieved through shared or service accounts
• Evaluate use of such accounts carefully, and never use them frequently or by
default.

19. 7.2.7 Monitor User Authentication and Access Behavior
• Monitoring authentication and access behavior is critical because:
• It provides information about who is connecting and accessing information
assets, which is a basic requirement for compliance auditing.
• It alerts security administrators to unforeseen situations, compensating for
oversights in data security planning, design, and implementation.
• Monitoring helps detect unusual or suspicious transactions that may warrant
further investigation and issue resolution.
• Systems containing confidential information such as salary, financial data, etc.
commonly implement active, real-time monitoring. “send notification to the
data stewards”

20. 7.2.7 Monitor User Authentication and Access Behavior
• Passive monitoring tracks changes over time by taking snapshots of the
current state of a system at regular intervals and comparing trends against a
benchmark or defined set of criteria.
• Automated monitoring does impose an overhead on the underlying systems.
• Enforce monitoring at several layers or data touch points. Monitoring can be:
• Application specific.
• Implemented for certain users and / or role groups.
• Implemented for certain privileges.
• Used for data integrity validation.
• Implemented for configuration and core meta-data validation.
• Implemented across heterogeneous systems for checking dependencies.

21. 7.2.8 Classify Information Confidentially
• A simple confidentiality classification schema used to classify an enterprise’s
data and information products.
• Five confidentiality levels followed by the schema:
• For General Audiences: available to everyone
• Internal use only: information limited to employees or members.
• Confidential: information should not be shared outside the organization.
• Restricted Confidential: information limited to individuals performing certain roles with the
”need to know”.
• Registered Confidential: information that anyone accessing should sign a legal agreement to
access data.
• Classify documents and reports based on the highest level of confidentiality for
any information found within the document. Through labeling.
• Correctly classifying and labeling the appropriate confidentiality level for each
document.
• Also, classify databases, relational tables, columns, and views. Information
confidentiality classification is an important meta-data characteristic, guiding
how users are granted access privileges.
• Data Stewards are responsible for evaluating and determining the appropriate
confidentiality level for data.

22. 7.2.9 Audit Data Security
• Auditing data security is a recurring control activity with responsibility to
analyze, validate, counsel, and recommend policies, standards, and
activities related to data security management.
• Data Security auditors
• should not have direct responsibility for the activities being audited
• Provide management and the data governance council with objectives, unbiased
assessments, and relational, practical recommendations.
• Data security policy statements, standards documents, implementation
guides, change requests, access monitoring logs, report outputs, and other
records from the basis of auditing.

23. 7.2.9 Audit Data Security
• Auditing data security includes:
• Analyzing data security policy and standards against best practices and needs.
• Analyzing implementation Procedures and actual practices to ensure consistency with data
security goals, polices, standards, guidelines, and desired outcomes.
• Assessing whether existing standards and procedures are adequate and in alignment with
business and technology requirements.
• Verifying the organization is in compliance with regulatory requirements.
• Reviewing the reliability and accuracy of data security audit data.
• Evaluating escalation procedures and notification mechanisms in the event of data security
breach.
• Reviewing contracts, data sharing agreements, and data security obligations of outsourced and
external vendors, ensuring they meet their obligations, and ensuring the organization meets its
obligations for externally sourced data.
• Reporting to senior management, data stewards, and other stakeholders on the ‘State of Data
Security’ within the organization and the maturity of its practices.
• Recommending data security design, operational, and compliance improvements.
• Auditing data security is no substitute for effective management of data security.
• Auditing is a supportive, repeatable process, which should occur regularly,
efficiently, and consistently.

24. 7.3 Data Security in an Outsourced World
• The Option of Outsourcing in Organization is in order and may
happened, Only “Liability” is not.
• Outsourcing IT Operations Introduces additional data security
challenges and responsibilities. “number of people sharing
accountability for data access”.
• Which lead to explicitly defined as “Contractual Obligations”.
• Contracts must specify the responsibilities and expectations of
each role.
• Risk are escalated to include outsource vendor “external risk and
internal risk”.

25. 7.3 Data Security in an Outsourced World,
continuo.
• Transferring control, but not accountability, requires tighter risk
management and control mechanisms. Such:
• Service Level agreements.
• Limited Liability Provisions in the outsourcing contract.
• Right-to-audit clauses in the contract.
• Clearly defined consequences to breaching contractual obligations.
• Frequent data security reports from the service vendor.
• Independent monitoring of vendor system activity.
• More frequent and through data security auditing.
• Constant communication with the service vendor.
• In outsourced environment, ‘chain of custody’ Analysis should maintained
related with “CRUD” Processes.
• RACI “Responsible, Accountable, Consulted, and informed” matrices help
clarify roles, duties and responsibilities of data security requirements.
“can be apart of contractual agreements”
• In outsourcing IT Operations, required appropriate compliance
mechanisms.