Effective data security ensures that the right people can use and update data as it was intended to be used, and that all inappropriate access and update is prohibited.
Protecting sensitive data is the ultimate goal of all information technology and data security practices; some major objectives would be to avoid identity theft, protect data privacy, prevent resource / financial theft, protect against intellectual property invasion or theft.
Data Security Management is the planning, development, and execution of security policies and procedures to provide proper authentication, authorization, access, and auditing of data and information assets.
Effective data security policies and procedures ensure that the right people can use and update data as it was intended to be used, and that all inappropriate access and update is prohibited. Understanding and complying with the privacy and confidentiality interests and needs of all stakeholders is in the best interest of any organization. Client, supplier, and constituent relationships all trust in, and depend on, the responsible use of data.
Data security can be supported by an effective enterprise data strategy that includes a properly functioning data governance program. Data governance can assist in the development and management of policies and standards for data security and data privacy in conjunction with other professionals.
Stated simply, data security is the practice of keeping data protected from corruption and unauthorized access. The focus behind data security is to ensure privacy while protecting personal or corporate data from inappropriate actions.
Effective data security policies and procedures ensure that the right people can use and update data in the right way, while restricting all inappropriate access and updates. An effective data security management function establishes judicious governance mechanisms that can be performed smoothly by all staff. A data security plan, written at the completion of the enterprise data strategy includes all the steps for ensuring that data is collected properly, is kept safe and secured according to defined processes, destroyed properly when not needed, etc…
Data security and data privacy are not synonyms. Privacy is defined by Webster as “the appropriate use of data.” Data security is established to ensure the following conditions for data:
More thoroughly, data privacy is the transparent handling of an individual’s personal data in accordance with the individual’s choice and consent and in a manner that prevents unauthorized disclosure while allowing permitted uses.
For businesses, privacy can include protecting the data for trade secrets, securing proprietary information about products and processes or competitive analyses and marketing and sales plans.
For governments, privacy involves such issues as the ability to collect and analyze demographic information, while protecting the confidentiality of millions of individual citizens and the country’s defense and economic plans. Simply, privacy is the true objective of security.
Data security governs the technical and physical requirements that keep data protected and confidential. Data privacy governs the data rights of individuals and organizations, and imposes requirements on the use of that data.
Data Security Requirements
Data security requirements can be categorized into four (4) basic groups (4 As)
Each group has its own processes and procedures for meeting the security requirements described by stakeholders. A short definition of each term may help to clarify the group’s purposes and give some suggestion on the types of processes / procedures that would be used to implement data security.
Authentication is the process that confirms a user’s identity. The typical authentication process allows the system to identify the user, typically via a username, and then validate their identity through user-provided evidence such as a password. There are stronger methods of authenticating the user, including certificates, one-time passwords, etc… These methods can be combined to provide a stronger combination of authentication factors.
Authorization is the process that determines what actions the user can perform. This step usually is handled by the accessed application, or by a combination of a central authorization policy that is followed by application-specific permissions. Authorization can be determined based on the user identity alone, but in most cases it requires additional attributes about the user, such as their role or title.
Access refers to a user’s ability to get to or retrieve data from a source. After the user has passed the authentication and authorization steps, there are processes and procedures to allow or deny the user access to data based on rules and other parameters. This access can be determined by the user’s role and the type of data stored. Data stewards write data access processes based on the recommendations of data security personnel for various levels of data (e.g., highly confidential, confidential, internal view only, publicly available). In data security parlance, this approach is called “granular access control,” since the user is permitted the right to view / retrieve / change only specific data that has been granted to that user based on their role and specific needs. It is considered to be a best practice to classify documents and reports based on the highest level of confidentiality for any information found within the document.
Audit is the process for examining the results of the previous three steps. Were all the correct processes initiated and completed according to the organization’s standards? Were all the procedures performed every time, properly and fully? What exceptions occurred? Why did those exceptions happen? Can each situation recur? Why or why not?
A secure system ensures that the data it contains is valid, and that data is protected from deletion and corruption, when it resides within the database and as it is transmitted over the network. This characteristic is called “data integrity” and is a characteristic that is used in data quality and data security. In data security, the principles that determine whether a system, database or file can be classified as having integrity include:
- System and object privileges must control access to application tables and system commands, so that only authorized users can change data.
- Referential integrity is the ability to maintain valid relationships between values in the database, according to the application’s requirements. A database and application that contains referential integrity will be able to withstand some security challenges better than those designed without referential integrity used.
- A database must be protected against viruses that have been written to corrupt data or perform malicious actions against the application it supports.
- The network traffic must be protected from deletion, corruption, and eavesdropping through proper network administration procedures.
Business requirements drive data security needs, coming from a variety of sources, such as:
- Stakeholder concerns and requirements
- Government regulations
- Proprietary business issues
- Legitimate access needs
Business rules and processes define data security points and events; these may have individual security requirements that would be identified by data stewards and data security professionals. These requirements must be balanced with short and long-term data management and security goals for an effective data security function.
Regulatory Requirements for Data Security
A global environment and continually increasing capabilities for data sharing require organizations to be aware of and comply with growing set of data-oriented regulations that affect data security and data privacy. Some of those challenges include:
Ethical and legal issues of the Information Age have forced governments to establish laws and standards and to continue to refine them. These laws, regulations and standards have raised awareness about the concepts and processes for data security, enabling increased compliance by all data management professionals.
Requirements of many regulations have imposed strict security controls on information management, across industries and countries. Some relevant regulations concerning information security can be found at: http://jurinnov.com/information-security-compliance-which-regulations/
It is a best practice to develop data security policies that enable compliance rather than non-compliance. Organizations should design security controls and demonstrate that controls meet requirements of law or regulations, and document implementation of the controls. Every organization should offer training in data security and data privacy practices to staff.
Successful data security should be incorporated into an organization’s culture, and it should be proactive, not reactive and should not be burdensome to any of the organization’s operations while protecting the data and information assets from unauthorized access and retrieval.
Having a strong, flexible data security plan and polices can contribute to achieve the best balance between requirements and accessibility of data and information in any organization. Role-based data security is a best practice and should be implemented consistently throughout the organization to be effective. Ensuring that data governance professionals, data stewards and data security specialists work together in developing and implementing data security and privacy requirements, processes and procedures is an important step in the successful deployment of a data security plan. An organization can avoid data security breaches through awareness and implementation of security requirements, policies, and procedures.