image

Data Management – Define Data Security Standards

Posted on January 27, 2022 by Muhammad Rawish Siddiqui
Share

Policies provide guidelines for behavior. They do not outline every possible contingency. Standards supplement policies and provide additional detail on how to meet the intention of the policies.

  • Define Data Confidentiality Levels: Confidentiality classification is an important Metadata characteristic, guiding how users are granted access privileges. Each organization should create or adopt a classification scheme that meets its business requirements. Any classification method should be clear and easy to apply. It will contain a range of levels, from the least to the most confidential (e.g., from “for general use” to “registered confidential”).
  • Define Data Regulatory Categories: A growing number of highly publicized data breaches, in which sensitive personal information has been compromised, have resulted in data-specific laws to being introduced. Financially-focused data incidents have spurred governments across the globe to implement additional regulations. Regulatory requirements are an extension of information security. Additional measures are required to manage regulatory requirements effectively. A useful way to handle the data-specific regulations is by analyzing and grouping similar regulations into categories, as was been done by grouping various risks into a few security classifications. Most data regulations, imposed as they are by separate legal entities, seek to do the same thing. A key principle for both security classification and regulatory categorization is that most information can be aggregated so that it has greater or lesser sensitivity. The results of this classification work will be a formally approved set of security classifications and regulatory categories and a process for capturing this Metadata in a central repository so that employees, both business and technical, know the sensitivity if the information they are handling, transmitting, and authorizing.
  • Define Security Roles: Data access control can be organized at an individual or group level, depending on the need. That said, granting access and update privileges to individual user accounts entails a great deal of redundant effort. Smaller organizations may find it acceptable to manage data access at the individual level. However, larger organizations will benefit greatly from role-based access control, granting permissions to role groups and thereby to each group member. Role groups enable security administrators to define privileges by role and to grant these privileges by enrolling users in the appropriate role group. Whenever possible, try to assign each user to only one role group. This may require the creation of different user views of certain data entitlements to comply with regulations. Data consistency in user and role management is a challenge. To avoid data integrity issues, manage user identity data and role-group membership centrally. This is a requirement for the quality of data used for effective access control. Security administrators create, modify, and delete user accounts and role groups. Changes made to the group taxonomy and membership should receive appropriate approval. Changes should be tracked via a change management system. Applying data security measures inconsistently or improperly within an organization can lead to employee dissatisfaction and significant risk to the organization. Role-based security depends on clearly defined, consistently assigned roles. There are two ways to define and organize roles: as a grid (starting from the data), or in a hierarchy (starting from the user).
    • Role Assignment Grid: A grid can be useful for mapping out access roles for data, based on data confidentiality, regulations, and user functions. A Marketing role may have access to some PII information for use in developing campaigns, but not to any restricted data, or Client Confidential data.
    • Role Assignment Hierarchy: Construct group definitions at a work-group or business unit level. Organize these roles in a hierarchy, so that child roles further restrict the privileges of parent roles. The ongoing maintenance of these hierarchies is a complex operation requiring reporting systems capable of granular drill down to individual user privileges.
  • Assess Current Security Risks: Security risks include elements that can compromise a network and/or database. The first step in identifying risk is identifying where sensitive data is stored, and what protections are required for that data. Evaluate each system for the following:
    • The sensitivity of the data stored or in transit
    • The requirements to protect that data
    • The current security protections in place
  • Implement Controls and Procedures: Implementation and administration of data security policy is primarily the responsibility of security administrators, in coordination with data stewards and technical teams. For example, database security is often a DBA responsibility. Organizations must implement proper controls to meet the security policy requirements. Controls and procedures should (at a minimum) cover:
    • How users gain and lose access to systems and/or applications
    • How users are assigned to and removed from roles
    • How privilege levels are monitored
    • How requests for access changes are handled and monitored
    • How data is classified according to confidentiality and applicable regulations
    • How data breaches are handled once detected
  • Document the requirements for allowing original user authorizations so de-authorization may happen when these conditions no longer apply. For instance, a policy to ‘maintain appropriate user privileges’ could have a control objective of ‘Review DBA and User rights and privileges on a monthly basis’. The organization’s procedure to satisfy this control might be to implement and maintain processes to:
    • Validate assigned permissions against a change management system used for tracking all user permission requests
    • Require a workflow approval process or signed paper form to record and document each change request
    • Include a procedure for eliminating authorizations for people whose job status or department no longer qualifies them to have certain access rights
  • Assign Confidentiality Levels: Data Stewards are responsible for evaluating and determining the appropriate confidentiality level for data based on the organization’s classification scheme. The classification for documents and reports should be based on the highest level of confidentiality for any information found within the document. Label each page or screen with the classification in the header or footer. Information products classified as least confidential (e.g., “For General Audiences”) do not need labels. Assume any unlabeled products to be for General Audiences. Document authors and information product designers are responsible for evaluating, correctly classifying, and labeling the appropriate confidentiality level for each document, as well as each database, including relational tables, columns, and user entitlement views.
  • Assign Regulatory Categories: Organizations should create or adopt a classification approach to ensure that they can meet the demands of regulatory compliance. This classification scheme provides a foundation for responding to internal and external audits. Once it is in place, information needs to be assessed and classified within the schema.
  • Manage and Maintain Data Security: Once all the requirements, policies, and procedures are in place, the main task is to ensure that security breaches do not occur, and if they do, to detect them as soon as possible. Continual monitoring of systems and auditing of the execution of security procedures are crucial to preserving data security.
  • Control Data Availability / Data-Centric Security: Controlling data availability requires management of user entitlements and of the structures (data masking, view creation, etc.) that technically control access based on entitlements. Some databases are better than others in providing structures and processes to protect data in storage. Security Compliance managers may have direct responsibility for designing user entitlement profiles that allow the business to function smoothly, while following relevant restrictions. Defining entitlements and granting authorizations requires an inventory of data, careful analysis of data needs, and documentation of the data exposed in each user entitlement. Often highly sensitive information is mixed with non-sensitive information. An enterprise data model is essential to identifying and locating sensitive data.
  • Monitor User Authentication and Access Behavior: Reporting on access is a basic requirement for compliance audits. Monitoring authentication and access behavior provides information about who is connecting and accessing information assets. Monitoring also helps detect unusual, unforeseen, or suspicious transactions that warrant investigation. In this way, it compensates for gaps in data security planning, design, and implementation. Monitoring entails a wide range of activities. It can be specific to certain data sets, users, or roles. It can be used to validate data integrity, configurations, or core Metadata. It can be implemented within a system or across dependent heterogeneous systems. It can focus on specific privileges, such as the ability to download large sets of data or to access data at off hours. Lack of automated monitoring represents serious risks:
    • Regulatory Risk: Organizations with weak database audit mechanisms will increasingly find that they are at odds with government regulatory requirements.
    • Detection and Recovery Risk: Audit mechanisms represent the last line of defense. If an attacker circumvents other defenses, audit data can identify the existence of a violation after the fact. Audit data can also be used to link a violation to a particular user or as a guide to repair the system.
    • Administrative and Audit Duties Risk: Users with administrative access to the database server – whether that access was obtained legitimately or maliciously – can turn off auditing to hide fraudulent activity. Audit duties should ideally be separate from both database administrators and the database server platform support staff.
    • Risk of Reliance on Inadequate Native Audit Tools: Database software platforms often try to integrate basic audit capabilities but they often suffer from multiple weaknesses that limit or preclude deployment. When users access the database via Web applications (such as SAP, Oracle E-Business Suite, or PeopleSoft), native audit mechanisms have no awareness of specific user identities and all user activity is associated with the Web application account name. Therefore, when native audit logs reveal fraudulent database transactions, there is no link to the responsible user.
  • To mitigate the risks, implement a network-based audit appliance, which can address most of the weaknesses associated with native audit tools, but which does not take place of regular audits by trained auditors. This kind of appliance has the following benefits:
    • High performance: Network-based audit appliances can operate at line speed with little impact on database performance.
    • Separation of Duties: Network-based audit appliances should operate independently of database administrators making it possible to separate audit duties from administrative duties as appropriate.
    • Granular Transaction Tracking supports advanced fraud detection, forensics, and recovery. Logs include details such as source application name, complete query text, query response attributes, source OS, time, and source name.
  • Manage Security Policy Compliance: Managing security policy compliance includes ongoing activities to ensure policies are followed and controls are effectively maintained. Management also includes providing recommendations to meet new requirements. In many cases, Data Stewards will act in conjunction with Information Security and Corporate Counsel so that operational policies and technical controls are aligned.
  • Manage Regulatory Compliance: Managing regulatory compliance includes
    • Measuring compliance with authorization standards and procedures
    • Ensuring that all data requirements are measurable and therefore auditable (i.e., assertions like “be careful” are not measurable)
    • Ensuring regulated data in storage and in motion is protected using standard tools and processes
    • Using escalation procedures and notification mechanisms when potential non-compliance issues are discovered, and in the event of a regulatory compliance breach
  • Audit Data Security and Compliance Activities: Internal audits of activities to ensure data security and regulatory compliance policies are followed should be conducted regularly and consistently. Compliance controls themselves must be revisited when new data regulation is enacted, when existing regulation changes, and periodically to ensure usefulness. Internal or external auditors may perform audits. In all cases, auditors must be independent of the data and / or process involved in the audit to avoid any conflict of interest and to ensure the integrity of the auditing activity and results.

Auditing is not a fault-finding mission. The goal of auditing is to provide management and the data governance council with objective, unbiased assessments, and rational, practical recommendations. Data security policy statements, standards documents, implementation guides, change requests, access monitoring logs, report outputs, and other records (electronic or hard copy) form the input to an audit. In addition to examining existing evidence, audits often include performing tests and checks, such as:

  • Analyzing policy and standards to assure that compliance controls are defined clearly and fulfill regulatory requirements
  • Analyzing implementation procedures and user-authorization practices to ensure compliance with regulatory goals, policies, standards, and desired outcomes
  • Assessing whether authorization standards and procedures are adequate and in alignment with technology requirements
  • Evaluating escalation procedures and notification mechanisms to be executed when potential non-compliance issues are discovered or in the event of a regulatory compliance breach
  • Reviewing contracts, data sharing agreements, and regulatory compliance obligations of outsourced and external vendors, that ensure business partners meet their obligations and that the organization meets its legal obligations for protecting regulated data
  • Assessing the maturity of security practices within the organization and reporting to senior management and other stakeholders on the ‘State of Regulatory Compliance’
  • Recommending Regulatory Compliance policy changes and operational compliance improvements

Auditing Data Security is not a substitute for Management of Data Security. It is a supporting process that objectively assesses whether management is meeting goals.

Leave a Reply

Your email address will not be published. Required fields are marked *

16 − one =

Subscribe to Our Newsletter

Recent Posts

Archives

Categories