Rule of Thumb: CIA Triad – Confidentiality, Integrity and Availability.
Data Security includes the planning, development, and execution of security policies and procedures to provide proper authentication, authorization, access, and auditing of data and information assets.
The specifics of data security (which data needs to be protected, for example) differ between industries and countries. Effective data security policies and procedures ensure that the right people can use and update data in the right way, and that all inappropriate access and update is restricted (Ray, 2012).
Understanding and complying with the privacy and confidentiality interests and needs of all stakeholders is in the best interest of every organization. Client, supplier, and constituent relationships all trust in, and depend on, the responsible use of data.
Necessary Business Access Needs
• Data Security must be Appropriate
• Data Security must not be too onerous to Prevent Users from Doing their Jobs
• Goldilocks Principle i.e. Least Privilege, and Minimum of Permissions to access what they need.
Nevertheless, the goal of data security practices is the same: To protect information assets in alignment with privacy and confidentiality regulations, contractual agreements, and business requirements.
Requirements come from:
Stakeholders: Organizations must recognize the privacy and confidentiality needs of their stakeholders, including clients, patients, students, citizens, suppliers, or business partners. Everyone in an organization must be a responsible trustee of data about stakeholders.
Stakeholder Concerns
• Privacy and Confidentiality of Clients Information
• Trade Secrets
• Business Partner Activity
• Mergers and Acquisitions
Government Regulations: Government regulations are in place to protect the interests of some stakeholders. Regulations have different goals. Some restrict access to information, while others ensure openness, transparency, and accountability.
Government Regulations
• Regulations may Restrict Access to Information
• Acts to ensure Openness and Accountability
• Provision of Subject Access Rights
Proprietary Business Concerns: Each organization has proprietary data to protect. An organization’s data provides insight into its customers and, when leveraged effectively, can provide a competitive advantage. If confidential data is stolen or breached, an organization can lose competitive advantage.
Legitimate Access Needs: When securing data, organizations must also enable legitimate access. Business processes require individuals in certain roles be able to access, use, and maintain data.
Legitimate Business Concerns
• Trade Secrets
• Research
• Knowledge of Customer Needs
• Business Partner Relationship and Impending Deals
Contractual Obligations: Contractual and non-disclosure agreements also influence data security requirements. For example, the PCI Standard, an agreement among credit card companies and individual business enterprises, demands that certain types of data be protected in defined ways (e.g., mandatory encryption for customer passwords).
