Abstract image of a woman sitting on books and studying on a laptop

chapter7-220725121544-6a1c05a5.pdf

M
MahmoudSOLIMAN380726

This document discusses data security management. It outlines concepts and activities related to data security including understanding business and regulatory requirements, defining security policies, standards, controls and procedures, managing users, passwords and access permissions. The goal is to protect information through proper authentication, authorization, access and auditing in alignment with organizational needs and regulations.

Engineering
1 of 25
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Data Security Management Ahmed Alorage
Objectives: • 7.1 Introduction • 7.2 Concepts and Activities • 7.2.1 Understand Data Security Needs and Regulatory Requirements • 7.2.1.1 Business Requirements • 7.2.1.2 Regulatory Requirements • 7.2.2 Define Data Security Policy • 7.2.3 Define Data Security Standards • 7.2.4 Define Data Security Controls and Procedures • 7.2.5 Manage Users, Passwords, and Group Membership • 7.2.5.1 Password Standards and Procedures • 7.2.6 Manage Data Access Views and Permissions • 7.2.7 Monitor User Authentication and Access Behavior • 7.2.8 Classify Information Confidentially • 7.2.9 Audit Data Security • 7.3 Data Security in Outsourced World
7 Data Security Management • Data Security is the fifth Data Management Function in the Data Management framework in Chapter 1. • Fourth data management function that interacts with and influenced by Data Governance function. • In this Chapter, we will defined the Data Security Management Function and Explains the Concepts and Activities involved in Data Security Management.
7.1 Introduction: • Data Security Management is the Planning, Development, and Execution of Security Policies and Procedures to Provide Proper Authentication, Authorization, Access, and Auditing of Data and Information assists. • Effective Data Security Policies and Procedures ensure that the right people can use and update data in the right way and all inappropriate access and update is restricted. • Understanding and complying with privacy and confidentiality interests and needs of all stakeholders is in the best interest of any organization. • Establishes judicious governance mechanisms that are easy enough to abide by a daily operational basis by all stakeholders.
chapter7-220725121544-6a1c05a5.pdf
7.2 Concepts and Activities • The Goal is to protect information assets in alignment with privacy and confidentiality regulations and business requirements. • The sources of Data Security management requirement come from: • Stakeholder concerns: including clients, patients, students…etc. • Government Regulations: protect stakeholder interests. Some of them restrict access to information, while other ensure openness, transparency, and accountability. • Proprietary Business Concerns: ensuring competitive advantage provided by intellectual property and intimate knowledge of customer needs. • Legitimate access Needs: Data security implementers must understand legitimate need for data access.
7.2 Concepts and Activities • Data Security requirements and procedures to meet these requirements can be categorized into four basic groups: • Authentication: Validate users are who they say they are. • Authorization: Identify the right individuals and grant them the right privileges to specific, appropriate views of data. • Access: Enable these individuals and their privileges in a timely manner. • Audit: Review Security actions and user activity to ensure compliance with regulations and conformance with policy and standards.
•7.2.1 Understand Data Security Needs and Regulatory Requirements • Important to distinguish between rules and procedures, and the rules imposed by application software products. • Application systems serve as vehicles to enforce business rules and procedures. • It is common for these systems to have their own unique set of data security requirements over and above those required for business processes. • These unique requirements are becoming more common with packaged and off- the-shelf systems. • Therefore, this activity divide into two sub-activities: • 7.2.1.1 Business Requirements • 7.2.1.2 Regulatory Requirements
•7.2.1.1 Business Requirements • Begin with a through understanding of business requirements. • Business mission and strategy percolates through data strategy must be the guiding factor in planning data security policy. • Address short-term and long-term goals to achieve a balanced and effective data security function. • There is a degree of data security defined through the business needs of an enterprise depending on the size of enterprises and the choice to have extended data security. • The security is touch points means every business rules and processes have its own security requirements. Therefore, tools such as “Data-to-process” and “Data –to-role” relationship matrices are useful tools to map these needs. • Identify detailed application security requirements in the analysis phase of every systems development project.
•7.2.1.2 Regulatory Requirements • Organizations required to comply with growing set of regulations. • The ethical and legal issues facing organizations in the information age are leading governments to establish new laws and standards. • Requirements of several newer regulations, like: • United States Sarbanes-Oxley Act of 2002, Canadian Bill 198 • CLEBRP Act of Australia • Have all imposed strict security controls on information management. • The European Union’s Basel II Accord • imposes information controls for all financial institutions doing business in related countries. • In Saudi Arabia, NDMO Related to SADIA • imposes information controls for all government and non-government sectors related to Information.
•7.2.2 Define Data Security Policy • Data Security Policy is a collaborative effort from IT security administrators, Data Stewards, internal and external audit teams, and legal department. Reviewed and approved from Data Governance council. • IT security policy and Data Security Policy is part of combined Security Policy. However, Should separate them out. • Data Security Policies are more granular in nature and take a very data-centric approach. • Defining directory structures and an identity management framework can be IT Security Policy component, • Whereas defining the individual application, Database roles, User groups, and password standards can be part of the Data Security Policy.
7.2.3 Define Data Security Standards • Organizations should design their own Security controls, demonstrate them to meet the requirements of the law and regulations and document them. • IT strategy and standards can also influence: • Tools used to manage data security • Data encryption standards and mechanisms. • Access guidelines to external vendors and contractors. • Data transmission protocols over the internet. • Documentation requirements. • Remote access standards. • Security breach incident reporting procedures.
7.2.3 Define Data Security Standards • Physical Security standards, as part of enterprise IT policies: • Access to data using mobile devices. • Storage of data on portable devices such as laptops, DVDs, or USB drives. • Disposal of these devices in compliance with records management policies. • The focus should be on quality and consistency, not creating a huge body of guidelines. • Should be in a format that is easily accessible by suppliers, consumers, and stakeholders. • Should be satisfying the four A’s “authentication, authorization, access and audit”
7.2.4 Define Data Security Controls and Procedures • Implementation and administration of data security policy is primarily the responsibility of security administrators. DB Security is often one responsibility of “DBAs”. • Implementing a proper controls to meet the objectives of pertinent laws. • Implementing a process to validate assigned permissions against change management system used for tracking all user permission requests. • The control may also require a workflow approval process or signed paper from to record and document each request.
7.2.5 Manage Users, Passwords, and Group Membership • Access and Update can be granted to individual user accounts. However, may results of redundant effort. • Role groups enable security administrators to define privileges by role, and to grant these privileges to users by enrolling them in. • Try to assign each user to only one role group. • Construct group definitions at a workgroup and organize roles in hierarchy, “child roles restrict the privileges of parent roles”. (roles management) Figure 7.2 • Security administrators create, modify and delete user accounts and groups. • Changes made to the group taxonomy and membership should require some level of approval, and tracking using a change management system. • Data consistency in user and group management is a challenge in a heterogeneous environment. • To avoid data integrity issues, manage user identity data and role-group membership data centrally.
chapter7-220725121544-6a1c05a5.pdf
7.2.5.1 Password Standards and Procedures • Passwords are the first line of defense in protecting access to data. • Typical password complexity requirements require a password to: • Contain at least 8 characters. • Contain an uppercase letter and a numeral. • Not be the same as the username • Not be the same as the previous 5 passwords used. • Not contain Complete dictionary words in any language. • Not be incremental (password1, Password2, etc). • Not have two characters repeated sequentially. • Avoid using adjacent characters from the keyboard. • If the system supports a space in passwords, then a ‘pass phrase’ can be used. • The capability ‘single-sign-on’ should be implemented. • Users to change their passwords every 45 to 60 days is required. • Security administrators and help desk analysts assist in troubleshooting and resolving password related issues.
7.2.6 Manage Data Access Views and Permissions • Valid and appropriate access to data. Control sensitive data access by granting permissions (opt-in). Without permission, a user can do nothing. • Control data access at an individual or group level: • Smaller organizations may find it acceptable to manage data access. • Larger organizations will benefit greatly from role-based access control, granting permissions to role groups. • RDB views provide another important mechanism for data security, enabling restrictions to data in tables to certain rows based on data values. • Access control degrades when achieved through shared or service accounts • Evaluate use of such accounts carefully, and never use them frequently or by default.
7.2.7 Monitor User Authentication and Access Behavior • Monitoring authentication and access behavior is critical because: • It provides information about who is connecting and accessing information assets, which is a basic requirement for compliance auditing. • It alerts security administrators to unforeseen situations, compensating for oversights in data security planning, design, and implementation. • Monitoring helps detect unusual or suspicious transactions that may warrant further investigation and issue resolution. • Systems containing confidential information such as salary, financial data, etc. commonly implement active, real-time monitoring. “send notification to the data stewards”
7.2.7 Monitor User Authentication and Access Behavior • Passive monitoring tracks changes over time by taking snapshots of the current state of a system at regular intervals and comparing trends against a benchmark or defined set of criteria. • Automated monitoring does impose an overhead on the underlying systems. • Enforce monitoring at several layers or data touch points. Monitoring can be: • Application specific. • Implemented for certain users and / or role groups. • Implemented for certain privileges. • Used for data integrity validation. • Implemented for configuration and core meta-data validation. • Implemented across heterogeneous systems for checking dependencies.
7.2.8 Classify Information Confidentially • A simple confidentiality classification schema used to classify an enterprise’s data and information products. • Five confidentiality levels followed by the schema: • For General Audiences: available to everyone • Internal use only: information limited to employees or members. • Confidential: information should not be shared outside the organization. • Restricted Confidential: information limited to individuals performing certain roles with the ”need to know”. • Registered Confidential: information that anyone accessing should sign a legal agreement to access data. • Classify documents and reports based on the highest level of confidentiality for any information found within the document. Through labeling. • Correctly classifying and labeling the appropriate confidentiality level for each document. • Also, classify databases, relational tables, columns, and views. Information confidentiality classification is an important meta-data characteristic, guiding how users are granted access privileges. • Data Stewards are responsible for evaluating and determining the appropriate confidentiality level for data.
7.2.9 Audit Data Security • Auditing data security is a recurring control activity with responsibility to analyze, validate, counsel, and recommend policies, standards, and activities related to data security management. • Data Security auditors • should not have direct responsibility for the activities being audited • Provide management and the data governance council with objectives, unbiased assessments, and relational, practical recommendations. • Data security policy statements, standards documents, implementation guides, change requests, access monitoring logs, report outputs, and other records from the basis of auditing.
7.2.9 Audit Data Security • Auditing data security includes: • Analyzing data security policy and standards against best practices and needs. • Analyzing implementation Procedures and actual practices to ensure consistency with data security goals, polices, standards, guidelines, and desired outcomes. • Assessing whether existing standards and procedures are adequate and in alignment with business and technology requirements. • Verifying the organization is in compliance with regulatory requirements. • Reviewing the reliability and accuracy of data security audit data. • Evaluating escalation procedures and notification mechanisms in the event of data security breach. • Reviewing contracts, data sharing agreements, and data security obligations of outsourced and external vendors, ensuring they meet their obligations, and ensuring the organization meets its obligations for externally sourced data. • Reporting to senior management, data stewards, and other stakeholders on the ‘State of Data Security’ within the organization and the maturity of its practices. • Recommending data security design, operational, and compliance improvements. • Auditing data security is no substitute for effective management of data security. • Auditing is a supportive, repeatable process, which should occur regularly, efficiently, and consistently.
7.3 Data Security in an Outsourced World • The Option of Outsourcing in Organization is in order and may happened, Only “Liability” is not. • Outsourcing IT Operations Introduces additional data security challenges and responsibilities. “number of people sharing accountability for data access”. • Which lead to explicitly defined as “Contractual Obligations”. • Contracts must specify the responsibilities and expectations of each role. • Risk are escalated to include outsource vendor “external risk and internal risk”.
7.3 Data Security in an Outsourced World, continuo. • Transferring control, but not accountability, requires tighter risk management and control mechanisms. Such: • Service Level agreements. • Limited Liability Provisions in the outsourcing contract. • Right-to-audit clauses in the contract. • Clearly defined consequences to breaching contractual obligations. • Frequent data security reports from the service vendor. • Independent monitoring of vendor system activity. • More frequent and through data security auditing. • Constant communication with the service vendor. • In outsourced environment, ‘chain of custody’ Analysis should maintained related with “CRUD” Processes. • RACI “Responsible, Accountable, Consulted, and informed” matrices help clarify roles, duties and responsibilities of data security requirements. “can be apart of contractual agreements” • In outsourcing IT Operations, required appropriate compliance mechanisms.

More Related Content

PPT
4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt
nasirmehmood929552
 
PPT
4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt
nasirmehmood929552
 
PPT
Lecture 2 - Security Requirments.ppt
DrBasemMohamedElomda
 
PPTX
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
PPTX
ISStateGovtProposal
Dale White
 
PPTX
Secuntialesse
Anne Starr
 
PPTX
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
Denny Lee
 
PDF
Toreon adding privacy by design in secure application development oss18 v20...
Sebastien Deleersnyder
 
4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt
nasirmehmood929552
 
4_25655_SE731_2020_1__2_1_Lecture 2 - Security Requirments.ppt
nasirmehmood929552
 
Lecture 2 - Security Requirments.ppt
DrBasemMohamedElomda
 
CISSP - Chapter 2 - Asset Security
Karthikeyan Dhayalan
 
ISStateGovtProposal
Dale White
 
Secuntialesse
Anne Starr
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
Denny Lee
 
Toreon adding privacy by design in secure application development oss18 v20...
Sebastien Deleersnyder
 

Similar to chapter7-220725121544-6a1c05a5.pdf (20)

PPTX
LOW LEVEL DESIGN INSPECTION SECURE CODING
Sri Latha
 
PPTX
Why We Require GDPR?
Jatin Kochhar
 
PPTX
gkknwqeq3232,sqSecurity essentials domain 3
Anne Starr
 
PPT
Info.ppt
MuhammadJunaid838607
 
PDF
Flash Friday: Data Quality & GDPR
Precisely
 
PPTX
Cybertopicsecurity_3
Anne Starr
 
PDF
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
IGN MANTRA
 
PPTX
Microsoft Cloud GDPR Compliance Options (SUGUK)
Andy Talbot
 
PPTX
Chapter 2: Data Management Overviews
Ahmed Alorage
 
PDF
chapter2-220725121543-2788abac.pdf
MahmoudSOLIMAN380726
 
PPTX
Data Governance Overview - Doreen Christian
Doreen Christian
 
PPTX
GDPR Part 2: Quest Relevance
Adrian Dumitrescu
 
PDF
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
Cillian Kieran
 
PPTX
Data Governance without AI Course Week 2.pptx
layanfadif
 
PDF
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Systems, Inc.
 
PDF
Accelerating Regulatory Compliance for IBM i Systems
Precisely
 
PPTX
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
Emtec Inc.
 
PDF
I Series User Management
SJeffrey23
 
PDF
Data Governance Maturity Levels
Sowmya Kandregula
 
PDF
9-Requirements Engineering process, Requirement Elicitation-21-01-2025.pdf
UjjwalAgrawal34
 
LOW LEVEL DESIGN INSPECTION SECURE CODING
Sri Latha
 
Why We Require GDPR?
Jatin Kochhar
 
gkknwqeq3232,sqSecurity essentials domain 3
Anne Starr
 
Info.ppt
MuhammadJunaid838607
 
Flash Friday: Data Quality & GDPR
Precisely
 
Cybertopicsecurity_3
Anne Starr
 
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.
IGN MANTRA
 
Microsoft Cloud GDPR Compliance Options (SUGUK)
Andy Talbot
 
Chapter 2: Data Management Overviews
Ahmed Alorage
 
chapter2-220725121543-2788abac.pdf
MahmoudSOLIMAN380726
 
Data Governance Overview - Doreen Christian
Doreen Christian
 
GDPR Part 2: Quest Relevance
Adrian Dumitrescu
 
Ethyca CodeDriven - Data Privacy Compliance for Engineers & Data Teams
Cillian Kieran
 
Data Governance without AI Course Week 2.pptx
layanfadif
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Systems, Inc.
 
Accelerating Regulatory Compliance for IBM i Systems
Precisely
 
PCI Compliance: How to Remain Compliant and Gain Near Real-Time Analytics on ...
Emtec Inc.
 
I Series User Management
SJeffrey23
 
Data Governance Maturity Levels
Sowmya Kandregula
 
9-Requirements Engineering process, Requirement Elicitation-21-01-2025.pdf
UjjwalAgrawal34
 
Ad

More from MahmoudSOLIMAN380726 (11)

PDF
6 to 8 year roadmap.pdf
MahmoudSOLIMAN380726
 
PDF
chapter12-220725121546-610a1427.pdf
MahmoudSOLIMAN380726
 
PDF
chapter11-220725121546-671fc36c.pdf
MahmoudSOLIMAN380726
 
PDF
chapter10-220725121546-5c59bc1a.pdf
MahmoudSOLIMAN380726
 
PDF
chapter9-220725121547-5ed13e4d.pdf
MahmoudSOLIMAN380726
 
PDF
chapter8-220725121547-f85998bb.pdf
MahmoudSOLIMAN380726
 
PDF
chapter5-220725172250-dc425eb2.pdf
MahmoudSOLIMAN380726
 
PDF
chapter3-220725142737-bf613658.pdf
MahmoudSOLIMAN380726
 
PDF
chapter4-220725121544-5ef6271b.pdf
MahmoudSOLIMAN380726
 
PDF
chapter1-220725121543-7c158b33.pdf
MahmoudSOLIMAN380726
 
PDF
Data Governance Process.pdf
MahmoudSOLIMAN380726
 
6 to 8 year roadmap.pdf
MahmoudSOLIMAN380726
 
chapter12-220725121546-610a1427.pdf
MahmoudSOLIMAN380726
 
chapter11-220725121546-671fc36c.pdf
MahmoudSOLIMAN380726
 
chapter10-220725121546-5c59bc1a.pdf
MahmoudSOLIMAN380726
 
chapter9-220725121547-5ed13e4d.pdf
MahmoudSOLIMAN380726
 
chapter8-220725121547-f85998bb.pdf
MahmoudSOLIMAN380726
 
chapter5-220725172250-dc425eb2.pdf
MahmoudSOLIMAN380726
 
chapter3-220725142737-bf613658.pdf
MahmoudSOLIMAN380726
 
chapter4-220725121544-5ef6271b.pdf
MahmoudSOLIMAN380726
 
chapter1-220725121543-7c158b33.pdf
MahmoudSOLIMAN380726
 
Data Governance Process.pdf
MahmoudSOLIMAN380726
 
Ad

Recently uploaded (20)

PDF
Unit I -OPERATING SYSTEMS_SRM_KATTANKULATHUR.pptx.pdf
HarshDudhatra4
 
PPTX
AI-Reporting for Emerging Technologies(BS Computer Engineering)
kemuelfajanilan73
 
PDF
ASPEN PLUS USER GUIDE - PROCESS SIMULATIONS
GurunathEpili1
 
DOCX
ENVIRONMENTAL PROTECTION AND MANAGEMENT (18CVL756)
shruthicg
 
PDF
UEFA_Embodied_Carbon_Emissions_Football_Infrastructure.pdf
tuchinad02
 
PDF
MLpara ingenieira CIVIL, meca Y AMBIENTAL
MarceloArielTisera
 
PPTX
CS6006 - CLOUD COMPUTING - Module - 1.pptx
dharshinidharshu575
 
PDF
Project_Mgmt_Institute_-Marc Marc Marc .pdf
Ismail Sultan
 
PDF
VTU IOT LAB MANUAL (BCS701) Computer science and Engineering
rizawan
 
DOCX
An investigation of the use of recycled crumb rubber as a partial replacement...
abdurrahmanabubakar21
 
PDF
MACCAFERRY GUIA GAVIONES TERRAPLENES EN ESPAÑOL
Distribucioneskaled
 
PPTX
Micro1New.ppt.pptx the mai themes of micfrobiology
nehasingh160179
 
PPTX
Module1.pptxrjkeieuekwkwoowkemehehehrjrjrj
kuldeep2405050
 
PPTX
Environmental studies, Moudle 3-Environmental Pollution.pptx
PramukhN1
 
PDF
IAE-V2500 Engine Airbus Family A319/320
RosneyAlfaro2
 
PPTX
chapter 1.pptx dotnet technology introduction
gautamb639
 
PPTX
Chapter-8 Introduction to Quality Standards.pptx
ayeshamily1
 
PPT
UNIT-I Machine Learning Essentials for 2nd years
rajeswarigcse
 
PDF
electrical machines course file-anna university
suganyamurali02
 
PDF
UEFA_Carbon_Footprint_Calculator_Methology_2.0.pdf
tuchinad02
 
Unit I -OPERATING SYSTEMS_SRM_KATTANKULATHUR.pptx.pdf
HarshDudhatra4
 
AI-Reporting for Emerging Technologies(BS Computer Engineering)
kemuelfajanilan73
 
ASPEN PLUS USER GUIDE - PROCESS SIMULATIONS
GurunathEpili1
 
ENVIRONMENTAL PROTECTION AND MANAGEMENT (18CVL756)
shruthicg
 
UEFA_Embodied_Carbon_Emissions_Football_Infrastructure.pdf
tuchinad02
 
MLpara ingenieira CIVIL, meca Y AMBIENTAL
MarceloArielTisera
 
CS6006 - CLOUD COMPUTING - Module - 1.pptx
dharshinidharshu575
 
Project_Mgmt_Institute_-Marc Marc Marc .pdf
Ismail Sultan
 
VTU IOT LAB MANUAL (BCS701) Computer science and Engineering
rizawan
 
An investigation of the use of recycled crumb rubber as a partial replacement...
abdurrahmanabubakar21
 
MACCAFERRY GUIA GAVIONES TERRAPLENES EN ESPAÑOL
Distribucioneskaled
 
Micro1New.ppt.pptx the mai themes of micfrobiology
nehasingh160179
 
Module1.pptxrjkeieuekwkwoowkemehehehrjrjrj
kuldeep2405050
 
Environmental studies, Moudle 3-Environmental Pollution.pptx
PramukhN1
 
IAE-V2500 Engine Airbus Family A319/320
RosneyAlfaro2
 
chapter 1.pptx dotnet technology introduction
gautamb639
 
Chapter-8 Introduction to Quality Standards.pptx
ayeshamily1
 
UNIT-I Machine Learning Essentials for 2nd years
rajeswarigcse
 
electrical machines course file-anna university
suganyamurali02
 
UEFA_Carbon_Footprint_Calculator_Methology_2.0.pdf
tuchinad02
 

chapter7-220725121544-6a1c05a5.pdf

  • 2. Objectives: • 7.1 Introduction • 7.2 Concepts and Activities • 7.2.1 Understand Data Security Needs and Regulatory Requirements • 7.2.1.1 Business Requirements • 7.2.1.2 Regulatory Requirements • 7.2.2 Define Data Security Policy • 7.2.3 Define Data Security Standards • 7.2.4 Define Data Security Controls and Procedures • 7.2.5 Manage Users, Passwords, and Group Membership • 7.2.5.1 Password Standards and Procedures • 7.2.6 Manage Data Access Views and Permissions • 7.2.7 Monitor User Authentication and Access Behavior • 7.2.8 Classify Information Confidentially • 7.2.9 Audit Data Security • 7.3 Data Security in Outsourced World
  • 3. 7 Data Security Management • Data Security is the fifth Data Management Function in the Data Management framework in Chapter 1. • Fourth data management function that interacts with and influenced by Data Governance function. • In this Chapter, we will defined the Data Security Management Function and Explains the Concepts and Activities involved in Data Security Management.
  • 4. 7.1 Introduction: • Data Security Management is the Planning, Development, and Execution of Security Policies and Procedures to Provide Proper Authentication, Authorization, Access, and Auditing of Data and Information assists. • Effective Data Security Policies and Procedures ensure that the right people can use and update data in the right way and all inappropriate access and update is restricted. • Understanding and complying with privacy and confidentiality interests and needs of all stakeholders is in the best interest of any organization. • Establishes judicious governance mechanisms that are easy enough to abide by a daily operational basis by all stakeholders.
  • 6. 7.2 Concepts and Activities • The Goal is to protect information assets in alignment with privacy and confidentiality regulations and business requirements. • The sources of Data Security management requirement come from: • Stakeholder concerns: including clients, patients, students…etc. • Government Regulations: protect stakeholder interests. Some of them restrict access to information, while other ensure openness, transparency, and accountability. • Proprietary Business Concerns: ensuring competitive advantage provided by intellectual property and intimate knowledge of customer needs. • Legitimate access Needs: Data security implementers must understand legitimate need for data access.
  • 7. 7.2 Concepts and Activities • Data Security requirements and procedures to meet these requirements can be categorized into four basic groups: • Authentication: Validate users are who they say they are. • Authorization: Identify the right individuals and grant them the right privileges to specific, appropriate views of data. • Access: Enable these individuals and their privileges in a timely manner. • Audit: Review Security actions and user activity to ensure compliance with regulations and conformance with policy and standards.
  • 8. •7.2.1 Understand Data Security Needs and Regulatory Requirements • Important to distinguish between rules and procedures, and the rules imposed by application software products. • Application systems serve as vehicles to enforce business rules and procedures. • It is common for these systems to have their own unique set of data security requirements over and above those required for business processes. • These unique requirements are becoming more common with packaged and off- the-shelf systems. • Therefore, this activity divide into two sub-activities: • 7.2.1.1 Business Requirements • 7.2.1.2 Regulatory Requirements
  • 9. •7.2.1.1 Business Requirements • Begin with a through understanding of business requirements. • Business mission and strategy percolates through data strategy must be the guiding factor in planning data security policy. • Address short-term and long-term goals to achieve a balanced and effective data security function. • There is a degree of data security defined through the business needs of an enterprise depending on the size of enterprises and the choice to have extended data security. • The security is touch points means every business rules and processes have its own security requirements. Therefore, tools such as “Data-to-process” and “Data –to-role” relationship matrices are useful tools to map these needs. • Identify detailed application security requirements in the analysis phase of every systems development project.
  • 10. •7.2.1.2 Regulatory Requirements • Organizations required to comply with growing set of regulations. • The ethical and legal issues facing organizations in the information age are leading governments to establish new laws and standards. • Requirements of several newer regulations, like: • United States Sarbanes-Oxley Act of 2002, Canadian Bill 198 • CLEBRP Act of Australia • Have all imposed strict security controls on information management. • The European Union’s Basel II Accord • imposes information controls for all financial institutions doing business in related countries. • In Saudi Arabia, NDMO Related to SADIA • imposes information controls for all government and non-government sectors related to Information.
  • 11. •7.2.2 Define Data Security Policy • Data Security Policy is a collaborative effort from IT security administrators, Data Stewards, internal and external audit teams, and legal department. Reviewed and approved from Data Governance council. • IT security policy and Data Security Policy is part of combined Security Policy. However, Should separate them out. • Data Security Policies are more granular in nature and take a very data-centric approach. • Defining directory structures and an identity management framework can be IT Security Policy component, • Whereas defining the individual application, Database roles, User groups, and password standards can be part of the Data Security Policy.
  • 12. 7.2.3 Define Data Security Standards • Organizations should design their own Security controls, demonstrate them to meet the requirements of the law and regulations and document them. • IT strategy and standards can also influence: • Tools used to manage data security • Data encryption standards and mechanisms. • Access guidelines to external vendors and contractors. • Data transmission protocols over the internet. • Documentation requirements. • Remote access standards. • Security breach incident reporting procedures.
  • 13. 7.2.3 Define Data Security Standards • Physical Security standards, as part of enterprise IT policies: • Access to data using mobile devices. • Storage of data on portable devices such as laptops, DVDs, or USB drives. • Disposal of these devices in compliance with records management policies. • The focus should be on quality and consistency, not creating a huge body of guidelines. • Should be in a format that is easily accessible by suppliers, consumers, and stakeholders. • Should be satisfying the four A’s “authentication, authorization, access and audit”
  • 14. 7.2.4 Define Data Security Controls and Procedures • Implementation and administration of data security policy is primarily the responsibility of security administrators. DB Security is often one responsibility of “DBAs”. • Implementing a proper controls to meet the objectives of pertinent laws. • Implementing a process to validate assigned permissions against change management system used for tracking all user permission requests. • The control may also require a workflow approval process or signed paper from to record and document each request.
  • 15. 7.2.5 Manage Users, Passwords, and Group Membership • Access and Update can be granted to individual user accounts. However, may results of redundant effort. • Role groups enable security administrators to define privileges by role, and to grant these privileges to users by enrolling them in. • Try to assign each user to only one role group. • Construct group definitions at a workgroup and organize roles in hierarchy, “child roles restrict the privileges of parent roles”. (roles management) Figure 7.2 • Security administrators create, modify and delete user accounts and groups. • Changes made to the group taxonomy and membership should require some level of approval, and tracking using a change management system. • Data consistency in user and group management is a challenge in a heterogeneous environment. • To avoid data integrity issues, manage user identity data and role-group membership data centrally.
  • 17. 7.2.5.1 Password Standards and Procedures • Passwords are the first line of defense in protecting access to data. • Typical password complexity requirements require a password to: • Contain at least 8 characters. • Contain an uppercase letter and a numeral. • Not be the same as the username • Not be the same as the previous 5 passwords used. • Not contain Complete dictionary words in any language. • Not be incremental (password1, Password2, etc). • Not have two characters repeated sequentially. • Avoid using adjacent characters from the keyboard. • If the system supports a space in passwords, then a ‘pass phrase’ can be used. • The capability ‘single-sign-on’ should be implemented. • Users to change their passwords every 45 to 60 days is required. • Security administrators and help desk analysts assist in troubleshooting and resolving password related issues.
  • 18. 7.2.6 Manage Data Access Views and Permissions • Valid and appropriate access to data. Control sensitive data access by granting permissions (opt-in). Without permission, a user can do nothing. • Control data access at an individual or group level: • Smaller organizations may find it acceptable to manage data access. • Larger organizations will benefit greatly from role-based access control, granting permissions to role groups. • RDB views provide another important mechanism for data security, enabling restrictions to data in tables to certain rows based on data values. • Access control degrades when achieved through shared or service accounts • Evaluate use of such accounts carefully, and never use them frequently or by default.
  • 19. 7.2.7 Monitor User Authentication and Access Behavior • Monitoring authentication and access behavior is critical because: • It provides information about who is connecting and accessing information assets, which is a basic requirement for compliance auditing. • It alerts security administrators to unforeseen situations, compensating for oversights in data security planning, design, and implementation. • Monitoring helps detect unusual or suspicious transactions that may warrant further investigation and issue resolution. • Systems containing confidential information such as salary, financial data, etc. commonly implement active, real-time monitoring. “send notification to the data stewards”
  • 20. 7.2.7 Monitor User Authentication and Access Behavior • Passive monitoring tracks changes over time by taking snapshots of the current state of a system at regular intervals and comparing trends against a benchmark or defined set of criteria. • Automated monitoring does impose an overhead on the underlying systems. • Enforce monitoring at several layers or data touch points. Monitoring can be: • Application specific. • Implemented for certain users and / or role groups. • Implemented for certain privileges. • Used for data integrity validation. • Implemented for configuration and core meta-data validation. • Implemented across heterogeneous systems for checking dependencies.
  • 21. 7.2.8 Classify Information Confidentially • A simple confidentiality classification schema used to classify an enterprise’s data and information products. • Five confidentiality levels followed by the schema: • For General Audiences: available to everyone • Internal use only: information limited to employees or members. • Confidential: information should not be shared outside the organization. • Restricted Confidential: information limited to individuals performing certain roles with the ”need to know”. • Registered Confidential: information that anyone accessing should sign a legal agreement to access data. • Classify documents and reports based on the highest level of confidentiality for any information found within the document. Through labeling. • Correctly classifying and labeling the appropriate confidentiality level for each document. • Also, classify databases, relational tables, columns, and views. Information confidentiality classification is an important meta-data characteristic, guiding how users are granted access privileges. • Data Stewards are responsible for evaluating and determining the appropriate confidentiality level for data.
  • 22. 7.2.9 Audit Data Security • Auditing data security is a recurring control activity with responsibility to analyze, validate, counsel, and recommend policies, standards, and activities related to data security management. • Data Security auditors • should not have direct responsibility for the activities being audited • Provide management and the data governance council with objectives, unbiased assessments, and relational, practical recommendations. • Data security policy statements, standards documents, implementation guides, change requests, access monitoring logs, report outputs, and other records from the basis of auditing.
  • 23. 7.2.9 Audit Data Security • Auditing data security includes: • Analyzing data security policy and standards against best practices and needs. • Analyzing implementation Procedures and actual practices to ensure consistency with data security goals, polices, standards, guidelines, and desired outcomes. • Assessing whether existing standards and procedures are adequate and in alignment with business and technology requirements. • Verifying the organization is in compliance with regulatory requirements. • Reviewing the reliability and accuracy of data security audit data. • Evaluating escalation procedures and notification mechanisms in the event of data security breach. • Reviewing contracts, data sharing agreements, and data security obligations of outsourced and external vendors, ensuring they meet their obligations, and ensuring the organization meets its obligations for externally sourced data. • Reporting to senior management, data stewards, and other stakeholders on the ‘State of Data Security’ within the organization and the maturity of its practices. • Recommending data security design, operational, and compliance improvements. • Auditing data security is no substitute for effective management of data security. • Auditing is a supportive, repeatable process, which should occur regularly, efficiently, and consistently.
  • 24. 7.3 Data Security in an Outsourced World • The Option of Outsourcing in Organization is in order and may happened, Only “Liability” is not. • Outsourcing IT Operations Introduces additional data security challenges and responsibilities. “number of people sharing accountability for data access”. • Which lead to explicitly defined as “Contractual Obligations”. • Contracts must specify the responsibilities and expectations of each role. • Risk are escalated to include outsource vendor “external risk and internal risk”.
  • 25. 7.3 Data Security in an Outsourced World, continuo. • Transferring control, but not accountability, requires tighter risk management and control mechanisms. Such: • Service Level agreements. • Limited Liability Provisions in the outsourcing contract. • Right-to-audit clauses in the contract. • Clearly defined consequences to breaching contractual obligations. • Frequent data security reports from the service vendor. • Independent monitoring of vendor system activity. • More frequent and through data security auditing. • Constant communication with the service vendor. • In outsourced environment, ‘chain of custody’ Analysis should maintained related with “CRUD” Processes. • RACI “Responsible, Accountable, Consulted, and informed” matrices help clarify roles, duties and responsibilities of data security requirements. “can be apart of contractual agreements” • In outsourcing IT Operations, required appropriate compliance mechanisms.