Governance and Accountability

• Appoint a Data Protection Officer (DPO): Designate a DPO or a responsible person within the organization to oversee compliance with the PDPL.
• Establish Policies and Procedures: Develop data protection policies, procedures, and guidelines to govern data processing activities, data subject rights, and breach management.

Data Mapping and Inventory

• Conduct a Data Inventory: Identify and document all personal data held by the organization, including how it is collected, processed, stored, and shared.
• Assess Data Processing Activities: Evaluate data processing activities to ensure they align with the PDPL principles (e.g., lawful processing, data minimization, purpose limitation).

Risk Assessment and Data Protection Impact Assessments (DPIA)

• Perform Risk Assessments: Assess the risks associated with data processing activities, particularly those that involve sensitive personal data or high-risk processing.
• Conduct DPIAs: Carry out DPIAs for new or existing processing activities that may have significant privacy impacts.

Data Subject Rights Management

• Implement Mechanisms for Data Subject Requests: Set up processes to handle data subject requests related to access, correction, deletion, and other rights under the PDPL.
• Inform Data Subjects: Ensure transparency by providing data subjects with clear information about how their data is used and their rights under the PDPL.

Data Security

• Implement Security Controls: Apply appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, or loss.
• Data Breach Response Plan: Develop and implement a data breach response plan, including notification procedures to the relevant authorities and affected individuals.

Data Transfers

• Assess International Transfers: Ensure that any cross-border data transfers comply with the PDPL’s requirements for safeguarding personal data when transferred outside Saudi Arabia.
• Obtain Necessary Approvals: If applicable, obtain regulatory approvals for international data transfers, ensuring that adequate safeguards are in place.

Monitoring and Auditing

• Regular Audits and Reviews: Perform regular audits of data processing activities and data protection measures to ensure ongoing compliance with the PDPL.
• Continuous Improvement: Continuously improve data protection practices based on audit findings, legal updates, and evolving best practices.

Training and Awareness

• Conduct Regular Training: Provide regular training and awareness programs for employees and relevant stakeholders on data protection principles and PDPL compliance.
• Promote a Culture of Privacy: Encourage a privacy-first approach within the organization, making data protection a core aspect of operations.

For Your Further Reading:

• Organization / Enterprise Ontology and Taxonomy
• Enterprise Architecture & Architecture Framework
• Data Security Standards
• Data Steward – Stewardship Activities
• Data Modeling – Metrics and Checklist
• How to Measure the Value of Data
• What is Content and Content Management?

The post KSA PDPL – Initial Framework appeared first on MDM Team.

• Self-Driving: Provisions workload-optimized, highly available databases. Uses automated configuration settings, minimizes tuning required for specific workloads, and scales compute resources as needed.
• Self-Securing: Protects sensitive and regulated data, automatically patches your database for security vulnerabilities, and prevents unauthorized access.
• Self-Repairing: Detects and protects against system failures and user errors and provides failover to standby databases with zero data loss.

The foundation for Autonomous Database includes Oracle Database Enterprise Edition, Exadata Database Machine, and Oracle Cloud Infrastructure. Autonomous Database incorporates and automates many advanced database technologies that are unique to Oracle, including:

• Real Application Clusters for scale-out, failover, and online patching
• Online operations for schema changes
• Active Data Guard for database aware disaster recovery
• Database In-Memory for high performance
• Transparent Database Encryption for data protection
• Database Vault for role separation

You might be Interested in Reading of:

• What is IoT – Internet of “Things” ?
• Key-Value Store or Key-Value Database
• NoSQL Graph Database
• Data Management – Reporting vs. Analysis
• Data Governance Program – Success Criteria
• Smart KPI Strategy – Key Performance Indicator
• JSON and NoSQL JSON Document Database
• Data Quality – Tools

The post Oracle Autonomous Database appeared first on MDM Team.

Data Lakes and Data Warehouses both act as repositories, but they are designed for very different purposes. Data Warehouses work best for specific projects with set resources while Data Lakes are optimized for managing all incoming Big Data.

The data stored in the warehouse is sourced from the various Operational Data Sources (ODS) which means that it can be sourced from heterogeneous systems and usually require data cleansing for additional operations to ensure quality of data before it is used in the DW for reporting.

Data Lakes saves time, effort and cost by creating a single repository for all Structured, Semi-Structured and Un-Structured Data, making it easy for Data Scientists to pull exactly what they need for analysis.

Data Vault

A data vault is a system made up of a model, methodology and architecture that is explicitly designed to solve a complete business problem as requirements change. Data Vault data is generally RAW data sets.  So, in the case of the Data Vault, reconciling to the source system is a recommended for testing.

It serves to structure the data warehouse data as systems of permanent records, and to absorb structural changes without requiring any alterations. Data Vault requires to load data exactly as it exists in the source system. No edits, no changes, no application of business rules (including data cleansing). This ensures that Data Vault is 100% auditable.

Data Mart and Data Cubes

Data Mart: A Data Mart is a type of data store often used to support presentation layers of the data warehouse environment. It contains only those Data that is specific to a particular group. For example, the marketing Data Mart may contain only Data related to items, customers, and sales. Data Marts are confined to subjects. With a data mart, teams can access data and gain insights faster, because they don’t have to spend time searching within a more complex data warehouse or manually aggregating data from different sources.

Data Cube: In Data Cubes, we represent Data in Multiple Dimensions. It is defined by dimensions and facts. The dimensions are the entities with respect to which an enterprise preserves the records. Data cubes are used to represent data that is too complex to be described by a table of columns and rows. As such, data cubes can go far beyond 3-D to include many more dimensions.

Data in Organization may includes:

• Structured Data: It is comprised of clearly defined data types with patterns that make them easily searchable. Such as Invoices, Receipts, Sensor Data, Online Forms, Spreadsheets, CRM Profile
• Semi-Structured Data: CSV, logs, XML, and JSON Format
• Unstructured Data: Social Media Content, Emails, Podcasts, Security Footage, Transcripts, PDFs, Images, Audio and Video

The post Data Warehouse, Data Lake & Data Vault appeared first on MDM Team.

Threat is a Potential Offensive Action that could be taken against an organization. Threats can be Internal or External. They are not always Malicious. An uniformed insider can take offensive actions against the organization without even knowing it. Threats may relate to Specific Vulnerabilities, which then can be Prioritized for Remediation. Each threat should match to a capability that either Prevents the Threat or Limits the Damage it might cause. An occurrence of a Threat is also called an Attack Surface.

Vulnerability is a Weaknesses or Defect in a System that allows it to be Successfully Attacked and Compromised – essentially a Hole in an Organization’s Defenses. Some vulnerabilities are called Exploits. In many cases, Non-Production Environments are more Vulnerable to Threats than Production Environments. Thus, it is Critical to keep Production Data out of Non-Production Environments.

Risk refers both to the Likelihood/Possibility of Loss and to the Thing or Condition that Poses the Potential Loss. Risk can be Calculated for each Possible Threat using the following factors:

• Probability that the threat will occur and its likely frequency
• The type and amount of damage created each occurrence might cause, including damage to reputation
• The effect damage will have on revenue or business operations
• The cost to fix the damage after an occurrence
• The cost to prevent the threat, including by remediation of vulnerabilities
• The goal or intent of the probable attacker

Risks can be prioritized by potential severity of damage to the company, or by likelihood of occurrence, with easily exploited vulnerabilities creating a higher likelihood of occurrence. Often a priority list combines both metrics. Prioritization of risk must be a formal process among the stakeholders.

Risk Classifications

Risk classifications describe the sensitivity of the data and the likelihood that it might be sought after for malicious purposes. Classifications are used to determine who (i.e., people in which roles) can access the data. The highest security classification of any datum within a user entitlement determines the security classification of the entire aggregation.

Risk can be Classified as followed:

• CRD – Critical Risk Data: Personal information aggressively sought for unauthorized use by both internal and external parties due to its high direct financial value. Compromise of CRD would not only harm individuals, but would result in financial harm to the company from significant penalties, costs to retain customers and employees, as well as harm to brand and reputation.
• HRD – High Risk Data: HRD is actively sought for unauthorized use due to its potential direct financial value. HRD provides the company with a competitive edge. If compromised, it could expose the company to financial harm through loss of opportunity. Loss of HRD can cause mistrust leading to the loss of business and may result in legal exposure, regulatory fines and penalties, as well as damage to brand and reputation.
• MRD – Moderate Risk Data: Company information that has little tangible value to unauthorized parties; however, the unauthorized use of this non-public information would likely have a negative effect on the company.

The Four A’s + E

Access: Enable individuals with authorization to access systems in a timely manner. Used as a verb, access means to actively connect to an information system and be working with the data. Used as a noun, access indicates that the person has a valid authorization to the data.

Audit: Review security actions and user activity to ensure compliance with regulations and conformance with company policy and standards. Information security professionals periodically review logs and documents to validate compliance with security regulations, policies, and standards. Results of these audits are published periodically.

Authentication: Validate users’ access. When a user tries to log into a system, the system needs to verify that the person is who he or she claims to be. Passwords are one way of doing this. More stringent authentication methods include the person having a security token, answering questions, or submitting a fingerprint. All transmissions during authentication are encrypted to prevent theft of the authenticating information.

Authorization: Grant individuals privileges to access specific views of data, appropriate to their role. After the authorization decision, the Access Control System checks each time a user logs in to see if they have a valid authorization token. Technically, this is an entry in a data field in the corporate Active Directory indicating that the person has been authorized by somebody to access the data. It further indicates that a responsible person made the decision to grant this authorization because the user is entitled to it by virtue of their job or corporate status.

Entitlement: An Entitlement is the sum total of all the data elements that are exposed to a user by a single access authorization decision. A responsible manager must decide that a person is ‘entitled’ to access this information before an authorization request is generated. An inventory of all the data exposed by each entitlement is necessary in determining regulatory and confidentiality requirements for Entitlement decisions.

The post Data Security – Essential Concepts appeared first on MDM Team.

ISO/IEC-27001:2013 is the International Security Standard and Best Practice Guidelines, which details the requirement for an ISMS, for Establishing, Implementing, Maintaining and Continually Improving an ISMS – Information Security Management System within the context of the organization. ISO/IEC-27001 and the Best Practices are Generic and Applicable to all Organizations, regardless of Size, Nature and Type etc.

It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve as two excellent guides to get you started with implementing an ISMS.

ISO 27002 is like a set of Guidelines for you, which elaborates 27001. You can’t be certified against ISO 27002 standards. There is no such thing.

• ISO/IEC-27001:2013 Annex comprises 114 # of Controls, divided into 14 Control-Sets/Sections.

To Achieve ISO 27001 Compliance or Certification, Organization needs a Fully-Functional ISMS that meets the Standard’s Requirements.

ISMS is a Documented Security Management System that consists of a Set-of-Security-Controls that protect the CIA Triad i.e. Confidentiality, Availability, and Integrity of Assets from Threats and Vulnerabilities. ISMS Safeguards Organisation’s Information Assets.

To further elaborate, ISMS is a Security-Framework that protects organization from Security Breaches and Shields it from Disruption if and when they do happen. It describes and demonstrates organisation’s approach to Information Security and Privacy. ISMS helps to identify and address the threats and opportunities around Valuable Information and any Related Assets.

There are numerous ways of approaching the implementation of an ISMS. The most common iterative method of continual improvement is PDCA (Plan-Do-Check-Act) Process.

• Plan – To Improve the Current Situation
• Do – Execute the Plan
• Check – Evaluate Results from the Do phase
• Act – Act Upon the Output of the CHECK phase

The post ISMS – ISO/IEC-27001:2013 – Annex A appeared first on MDM Team.