Data security is an increasing priority for many CIOs, and for good reason. Corporate databases contain the crown jewels — proprietary and sensitive information such as non-public financial data, trade secrets, and personal information about customers and employees. While many organizations are using regulatory compliance as an opportunity to formalize data security practices within their strategic initiatives, there are, unfortunately, still many that pay insufficient attention to securing some of their most precious assets.
Failing to comply with regulations like Sarbanes-Oxley or the Personal Information Protection and Electronic Documents Act (PIPEDA) can result in significant financial penalties as well as damage to a company’s brand or image. Can your organization really afford a significant security breach involving such sensitive information?
Protection of critical data assets begins with a sound data security strategy. This article provides an overview of best practices that should be of part of any organization’s data security strategy. By adopting these practices, you can help prevent unauthorized access to sensitive corporate data while preserving legitimate access to data resources and supporting the detection of misuse of data by authorized users.
1Have a well-written and comprehensive security policy.
Never underestimate the value of a well-written and comprehensive security policy that is disseminated and understood by those with access to corporate data assets. It is a good practice to develop a detailed policy specific to each important data system, rather than relying on just a single, broader corporate-wide policy.
A security policy should clearly describe the rules governing the legitimate access and use of information and, at the same time, also serve as a deterrent to inappropriate behaviour by stating that controls are in place to monitor and detect such behaviour.
You should also carefully outline the penalties should there be violation of the policy and misuse of legitimate privileges. All users with access to sensitive information must have a clear, concise and specific understanding of the expectations about their access and use of such information.
2 Prepare a data asset inventory and classification.
Many organizations fail to properly understand the sensitivity of information stored within various corporate databases. So a prerequisite for development and implementation of any safeguards for protecting such data is to perform an inventory of all data assets and assign classification levels to information and associated services.
The classification assigned should be based upon an in-depth understanding of the need for confidentiality of particular information, and an objective assessment of the risks to your organization should the data be lost or compromised. Examples of confidentiality levels might include Highly Restricted, Restricted, Proprietary, and Public, with each level mandating a different set of controls and rules for restricting access.
The determination and use of appropriate security controls is ultimately based upon the level of risk your organization is willing to accept. Your security controls, however, should be defined only after you have conducted a complete inventory of data assets.
3 Practice the principle of least privilege.
An often underutilized data security strategy is the practice of the principle of least privilege. This practice requires that a user or application be granted only the minimum privileges necessary to perform any required duties or functions.
Minimizing the rights controlling access to your corporate data not only limits opportunities for misuse or other malicious activity, but also helps to reduce the risks associated with compromising user accounts or the accidental damage or loss of data caused by an authorized user.
Ensure that your security managers conduct periodic reviews of users’ privileges to detect and remove any unauthorized privileges that may have been inadvertently granted, or which may no longer be appropriate as the result of a change in job role or function.
4 Assign privileges to roles rather than individuals. Another best practice is to manage access to your corporate information through assignment of privileges to roles rather than to individual users. The use of roles allows for security management at a level that is more closely aligned with your organization’s structure.
Roles can be created to enforce the privileges and rules regarding access to corporate data and can readily be defined for use by departments or other specific job functions. Users may be assigned roles based upon their position within the organization.
More than just a good security practice, role-based access controls can simplify privilege management and reduce the cost of security administration.
5 Use of encryption.
While the use of encryption may not always be necessary or appropriate, it can be an important tool for protection of sensitive corporate information. Certainly, strong encryption should be used to protect the confidentiality of sensitive data whenever it is transmitted over non-secure networks. This helps to prevent compromise by malicious individuals eavesdropping, or snooping on those networks.
Selective encryption of sensitive data when stored in your corporate databases should be implemented whenever mandated by policy, legislation, or regulations. However, data encryption should not be used as an alternative form of access control. The performance impacts to applications and other legitimate use must be carefully considered in the design and use of any encryption solution.
6 Monitor all audit logs.
Procedures should be established to consistently monitor all audit logs to detect anomalous behaviour and to ensure that users are only performing activities that have been explicitly authorized.
The frequency of audit log reviews should be determined by risk factors based upon the sensitivity and critical nature of your data to business operations, and the extent to which the systems are accessible via non-secure networks.
Audit logs should be periodically archived so that audit information is available, if needed, for use in investigations of suspicious behaviour, misuse of data or system breaches.
7 Secure the host operating systems.
While attention may be given to securing access to corporate databases, the same measure of care should be dedicated to securing the operating systems upon which these databases are hosted.
A best practice is to restrict operating system access to only those administrative users required for maintenance, support, or monitoring of the database server. This reduces the number of accounts that could be potentially compromised by an attacker to gain access to the server. Further, any system or network services not required for operation of the database should be disabled.
Proactive procedures should be implemented to monitor for the availability of critical operating system patches and updates necessary to correct any discovered security vulnerabilities, and to ensure that such patches are applied in a timely manner. A properly secured database server should expose a minimal number of interfaces through which the system can be attacked.
8 Tightly control physical access.
Despite the proliferation of servers within many enterprises, locked-down data centres are not a thing of the past. Physical access to your corporate database systems containing sensitive information should be tightly controlled to prevent damage or theft of data. Machine rooms should be locked at all times and access by any person should require some form of identification and authentication. Systems should maintain a history of all persons entering the room. In the event that visitors are allowed access to a sensitive area, such visits should be properly escorted and monitored.
9 Periodically audit corporate databases.
Your business requirements evolve over time and new practices and technologies will be adopted. This can result in changes to the sensitivity and risks associated with your corporate data. Periodic audits of corporate databases not only ensure that security controls are being properly maintained, but can also give you the opportunity to continually assess and manage emerging risks. Safeguards must be reviewed and adjusted as needed to ensure that sensitive information is protected against both internal and external threats.
10 Mitigate the risks.
CIOs need to recognize that security management is more about mitigation of risks than about elimination of risks, since risks can never be fully eliminated. Despite the best planning and the strict implementation of security controls, security incidents may still occur. To provide for continuity of your business operations, your organization must be prepared to respond effectively to any such event.
Response planning should enable rapid, forensic assessment of the incident to prevent subsequent attacks and include procedures to quickly recover lost or damaged data. With proper planning, you can help minimize the damage or other negative business impacts resulting form a security incident.
–James L. Browning is an NCR Fellow and Enterprise Security Architect with Teradata, a division of NCR. He has more than 27 years of experience in the development of technical architectures. He can be reached firstname.lastname@example.org.