Foundations of Data Security. Basic Requirements

Article Summary: Protecting sensitive data from unauthorized access, disclosure, or theft is the primary goal of data security practices, which aim to prevent identity theft, data privacy violations, financial theft, and intellectual property theft. Effective data security management involves planning, developing, and executing security policies and procedures to ensure proper authentication, authorization, access control, and auditing of data assets.

Last Updated: September 19, 2025

Introduction

Protecting sensitive data is the ultimate goal of all information technology and data security practices; some major objectives would be to avoid identity theft, protect data privacy, prevent resource / financial theft, protect against intellectual property invasion or theft.

Data Security Management is the planning, development, and execution of security policies and procedures to provide proper authentication, authorization, access, and auditing of data and information assets.

Effective data security policies and procedures ensure that the right people can use and update data as it was intended to be used, and that all inappropriate access and update is prohibited. Understanding and complying with the privacy and confidentiality interests and needs of all stakeholders is in the best interest of any organization. Client, supplier, and constituent relationships all trust in, and depend on, the responsible use of data.

Data security can be supported by an effective enterprise data strategy that includes a properly functioning data governance program. Data governance can assist in the development and management of policies and standards for data security and data privacy in conjunction with other professionals.

Data Security

Stated simply, data security is the practice of keeping data protected from corruption and unauthorized access. The focus behind data security is to ensure privacy while protecting personal or corporate data from inappropriate actions.

Effective data security policies and procedures ensure that the right people can use and update data in the right way, while restricting all inappropriate access and updates. An effective data security management function establishes judicious governance mechanisms that can be performed smoothly by all staff. A data security plan, written at the completion of the enterprise data strategy includes all the steps for ensuring that data is collected properly, is kept safe and secured according to defined processes, destroyed properly when not needed, etc…

Data Privacy

Data security and data privacy are not synonyms. Privacy is defined by Webster as “the appropriate use of data.” Data security is established to ensure the following conditions for data:

More thoroughly, data privacy is the transparent handling of an individual’s personal data in accordance with the individual’s choice and consent and in a manner that prevents unauthorized disclosure while allowing permitted uses.

For businesses, privacy can include protecting the data for trade secrets, securing proprietary information about products and processes or competitive analyses and marketing and sales plans.

For governments, privacy involves such issues as the ability to collect and analyze demographic information, while protecting the confidentiality of millions of individual citizens and the country’s defense and economic plans. Simply, privacy is the true objective of security.

Data security governs the technical and physical requirements that keep data protected and confidential. Data privacy governs the data rights of individuals and organizations, and imposes requirements on the use of that data.

Data Security Requirements

Data security requirements can be categorized into four (4) basic groups (4 As)

Authentication
Authorization
Access
Audit

Each group has its own processes and procedures for meeting the security requirements described by stakeholders. A short definition of each term may help to clarify the group’s purposes and give some suggestion on the types of processes / procedures that would be used to implement data security.

Authentication is the process that confirms a user’s identity. The typical authentication process allows the system to identify the user, typically via a username, and then validate their identity through user-provided evidence such as a password. There are stronger methods of authenticating the user, including certificates, one-time passwords, etc… These methods can be combined to provide a stronger combination of authentication factors.

Authorization is the process that determines what actions the user can perform. This step usually is handled by the accessed application, or by a combination of a central authorization policy that is followed by application-specific permissions. Authorization can be determined based on the user identity alone, but in most cases it requires additional attributes about the user, such as their role or title.

Access refers to a user’s ability to get to or retrieve data from a source. After the user has passed the authentication and authorization steps, there are processes and procedures to allow or deny the user access to data based on rules and other parameters. This access can be determined by the user’s role and the type of data stored. Data stewards write data access processes based on the recommendations of data security personnel for various levels of data (e.g., highly confidential, confidential, internal view only, publicly available). In data security parlance, this approach is called “granular access control,” since the user is permitted the right to view / retrieve / change only specific data that has been granted to that user based on their role and specific needs. It is considered to be a best practice to classify documents and reports based on the highest level of confidentiality for any information found within the document.

Audit is the process for examining the results of the previous three steps. Were all the correct processes initiated and completed according to the organization’s standards? Were all the procedures performed every time, properly and fully? What exceptions occurred? Why did those exceptions happen? Can each situation recur? Why or why not?

A secure system ensures that the data it contains is valid, and that data is protected from deletion and corruption, when it resides within the database and as it is transmitted over the network. This characteristic is called “data integrity” and is a characteristic that is used in data quality and data security. In data security, the principles that determine whether a system, database or file can be classified as having integrity include:

System and object privileges must control access to application tables and system commands, so that only authorized users can change data.
Referential integrity is the ability to maintain valid relationships between values in the database, according to the application’s requirements. A database and application that contains referential integrity will be able to withstand some security challenges better than those designed without referential integrity used.
A database must be protected against viruses that have been written to corrupt data or perform malicious actions against the application it supports.
The network traffic must be protected from deletion, corruption, and eavesdropping through proper network administration procedures.

Business requirements drive data security needs, coming from a variety of sources, such as:

Stakeholder concerns and requirements
Government regulations
Proprietary business issues
Legitimate access needs

Business rules and processes define data security points and events; these may have individual security requirements that would be identified by data stewards and data security professionals. These requirements must be balanced with short and long-term data management and security goals for an effective data security function.

Essential Data Security Technologies

Modern organizations rely on advanced technologies to protect sensitive information and mitigate risks of data theft or corruption. Encryption is a fundamental method that transforms data into an unreadable format, ensuring only authorized users can decrypt or even understand the underlying data. Identity management systems play a crucial role in managing user identities and access rights, reducing the likelihood of unauthorized users gaining access to sensitive data.

Data discovery tools enable organizations to identify and classify data types across their infrastructure, improving oversight and compliance. Backup and recovery solutions ensure critical data remains accessible even in cases of system failure or breaches. Multi-factor authentication adds an extra layer of security by requiring users to provide multiple forms of identification before accessing secure networks. Together, these technologies create a strong foundation for organizations to protect against threats and adhere to legal obligations under data protection regulations.

Data Loss Prevention Strategies

Data Loss Prevention (DLP) solutions are crucial for maintaining control over an organization’s sensitive information. By implementing robust DLP policies, organizations can prevent unauthorized access, data leaks, and theft of critical data. These technologies enable monitoring and alert systems to detect potential data breaches by tracking user activity and flagging suspicious behavior. Techniques like data classification, which categorizes information based on sensitivity, regulatory compliance, and lifecycle management, are integral to DLP efforts. Additionally, DLP technologies support secure data handling across on-premises environments, mobile devices, and cloud systems, ensuring protection against both inadvertent exposure and malicious actions. Integrating DLP into a data security strategy enables organizations to adhere to privacy regulations like the General Data Protection Regulation (GDPR) as well as safeguard their operational integrity.

Regulatory Requirements for Data Security

A global environment and continually increasing capabilities for data sharing require organizations to be aware of and comply with growing set of data-oriented regulations that affect data security and data privacy. Some of those challenges include:

Ethical and legal issues of the Information Age have forced governments to establish laws and standards and to continue to refine them. These laws, regulations and standards have raised awareness about the concepts and processes for data security, enabling increased compliance by all data management professionals.

Requirements of many regulations have imposed strict security controls on information management, across industries and countries. Some relevant regulations concerning information security can be found at: http://jurinnov.com/information-security-compliance-which-regulations/

It is a best practice to develop data security policies that enable compliance rather than non-compliance. Organizations should design security controls and demonstrate that controls meet requirements of law or regulations, and document implementation of the controls. Every organization should offer training in data security and data privacy practices to staff.

Global and Regional Data Protection Regulations

Navigating data protection regulations is a critical component of organizational compliance strategies. The General Data Protection Regulation (GDPR) obliges organizations to protect the personal data of European Union citizens, with non-compliance penalties reaching up to €20 million or 4% of a company’s global annual turnover. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) enforces strict privacy requirements for sensitive health information, with fines for violations starting at $100 and reaching $50,000 per incident.

On the state front, the California Consumer Privacy Act (CCPA) protects consumer rights in California, imposing fines ranging from $2,500 to $7,500 for each violation. Since data protection laws differ significantly across industries and countries, organizations must conduct regular risk assessments to address specific compliance requirements. Beyond financial penalties, violations often lead to reputational damage, highlighting the importance of robust risk mitigation practices. Ensuring compliance not only protects sensitive information but also reinforces trust among stakeholders and customers.

Conclusion

Successful data security should be incorporated into an organization’s culture, and it should be proactive, not reactive and should not be burdensome to any of the organization’s operations while protecting the data and information assets from unauthorized access and retrieval.

Having a strong, flexible data security plan and polices can contribute to achieve the best balance between requirements and accessibility of data and information in any organization. Role-based data security is a best practice and should be implemented consistently throughout the organization to be effective. Ensuring that data governance professionals, data stewards and data security specialists work together in developing and implementing data security and privacy requirements, processes and procedures is an important step in the successful deployment of a data security plan. An organization can avoid data security breaches through awareness and implementation of security requirements, policies, and procedures.

Anne Marie Smith, Ph.D.

Anne Marie Smith, Ph.D. is an internationally recognized expert in the fields of enterprise data management, data governance, data strategy, enterprise data architecture and data warehousing. Dr. Smith is a consultant and educator with over 30 years' experience. Author of numerous articles and Fellow of the Insurance Data Management Association (FIDM), and a Fellow of the Institute for Information Management (IIM), Dr. Smith is also a well-known speaker in her areas of expertise at conferences and symposia.