Topic 4: Data

Security
Management

ICT616 Data
Resources
Management
Introduction

DSM involves a number of activities associated with

security policies and procedures, including:
• planning
• development
• execution
to provide
• proper authentication,
• authorization,
• access and
• auditing of data and information assets
2
 What Is Security?

• “The quality or state of being secure -

to be free from danger”

• Security is achieved using several

strategies simultaneously or in
combination with one another
Components of Information Security
• InfoSec includes information security management, computer security,
data security, and network security
• Policy is central to all information security efforts
 CIA Triangle
• The C.I.A. triangle is made up of:

• Confidentiality

• Integrity

• Availability

• Over time the list of characteristics has expanded,

but these three remain central
Key Concepts of Information Security
• Confidentiality
• Confidentiality of information ensures that only
those with sufficient privileges may access
certain information
• To protect confidentiality of information, a
number of measures may be used including:
• Information classification
• Secure document storage
• Application of general security policies
• Education of information custodians and end
users
Key Concepts of Information
Security
• Integrity
• Integrity is the quality or state of being
whole, complete, and uncorrupted
• The integrity of information is threatened
when it is exposed to corruption, damage,
destruction, or other disruption of its
authentic state
• Corruption can occur while information is
being compiled, stored, or transmitted
Key Concepts of
Information Security
• Availability
• Availability is making information accessible
to user access without interference or
obstruction in the required format
• A user in this definition may be either a
person or another computer system
• Availability means availability to authorized
users
Principles Of Information Security
Management
• The extended characteristics of information security
are known as the six Ps:
• Planning
• Policy
• Programmes
• Protection
• People
• Project Management
InfoSec Planning
• Included in the InfoSec planning model are activities necessary to
support the design, creation, and implementation of information
security strategies as they exist within the IT planning
environment

• Several types of InfoSec plans exist:

• Incident response
• Business continuity
• Disaster recovery
• Policy
• Personnel
• Technology rollout
• Risk management and
• Security programme including education, training and awareness
Policy
• Policy: set of organisational guidelines that
dictates certain behavior within the
organisation
• Three general categories :
• General programme policy (Enterprise Security
Policy)
• An issue-specific security policy (ISSP)
• System-specific policies (SSPs)
Enterprise Information
Security Policy
• Enterprise information security
policy (EISP) - sets the strategic
direction, scope, and tone for all of
an organization’s security efforts
• High-level InfoSec policy
• EISP must directly support the
organization’s vision and mission
statements

12
EISP Elements
• EISP documents should include the following:
• An overview of the corporate philosophy on
security
• Information on the structure of InfoSec and
individuals who fulfill the InfoSec role
• Fully articulated responsibilities for security
that are shared by all members of the
organization
• Fully articulated responsibilities for security
that are unique to each role within the
organization 13
Issue-Specific Security
Policy Part 1
• Issue-specific security policy (ISSP) -
provides detailed, targeted guidance to
instruct all members of the organization in the
use of a resource
• An effective ISSP accomplishes the following:
• Articulates the organization’s expectations
about how its technology-based system
should be used

14
Issue-Specific Security
Policy Part 2
• An effective ISSP accomplishes the following
(cont’d):
• Documents how the technology-based system
is controlled and identifies the processes and
authorities that provide this control
• Indemnifies the organization against liability
for an employee’s inappropriate or illegal use
of the system

15
 Issue-Specific Security
Policy Part 3
• Areas for which an ISSP may be used:
• Use of e-mails, instant messaging (IM), and other
electronic communications applications
• Use of the Internet on company and personal time
• Malware protection requirements
• Installation and use of nonorganizationally issued
software or hardware
• Prohibitions against hacking or testing the
organization’s security controls
• Home use of company-owned computer equipment or
removal of equipment from organizational property

16
 Issue-Specific Security
Policy Part 4

• Areas for which an ISSP may be used (cont’d):

• Use of personal equipment on company networks
• Use of telecommunications technologies (fax,
phone, mobile phone)
• Use of photocopying and scanning equipment

17
Components of the ISSP
• Statement of purpose - the ISSP should begin
with a clear statement of purpose that outlines
the scope and applicability of the policy
• Authorized Uses - explains who can use the
technology governed by the policy and for what
purposes
• Prohibited Uses - this section outlines what the
issue or technology cannot be used for
• Unless a particular use is clearly prohibited, the
organization cannot penalize employees for it

18
Components of the ISSP
(continued)
• Systems Management - focuses on the users’
relationships to systems management
• Violations of Policy - specifies the penalties
and repercussions of violating the usage and
systems management policies
• Policy Review and Modification - outlines a
specific methodology for the review and
modification of the ISSP
• Limitation of Liability - offers a general
statement of liability or a set of disclaimers
19
Implementing the ISSP

• Three of the most common approaches for

creating and managing ISSPs:
• Create a number of independent ISSP
documents, each tailored to a specific issue
• Create a single comprehensive ISSP document
that covers all issues
• Create a modular ISSP document that unifies
policy creation and administration while
maintaining each specific issue’s requirements
• The recommended approach is the modular
approach
20
ISSP Document organization
approaches
Approach Advantages Disadvantages

Individual policy • Clear assignment to a responsible • Typically yields a scattershot result

department that fails to cover all of the necessary
• Written by those with superior subject issues
matter expertise for technology-specific • Can suffer from poor policy
systems dissemination, enforcement and review

Comprehensive • Well controlled by centrally managed • May overgeneralize the issues and
policy procedures, assuring complete topic coverage skip over vulnerabilities
• Often provides better formal procedures • May be written by those with less
than when policies are individually formulated complete subject matter expertise
• Usually identifies processes for
dissemination, enforcement, and review

Modular policy • Often considered an optimal balance • May be more expensive than other
between the individual ISSP and the alternatives
comprehensive ISSP approaches • Implementation can be difficult to
• Well controlled by centrally managed manage
procedures, assuring complete topic coverage
• Clear assignment to a responsible
department
• Written by those with superior subject
matter expertise for technology-specific
systems

21
System-Specific Security
Policy
• System-specific security policies (SysSPs) -
often function as standards or procedures to
be used when configuring or maintaining
systems
• Example: to configure and operate a network
firewall

22
Protection
• Risk management activities, including risk
assessment and control, as well as
protection mechanisms, technologies, and
tools

• Each of these mechanisms represents some

aspect of the management of specific
controls in the overall information security
plan
People

• People are the most critical link in the

information security programme

• It is imperative that managers

continuously recognise the crucial role that
people play

• Including information security personnel

and the security of personnel.
Project Management
• Project management discipline
should be present throughout all
elements of the information security
programme

• Involves
• Identifying and controlling the resources
applied to the project

• Measuring progress and adjusting the

process as progress is made toward the
goal
Ultimate Goal of DSM

To protect information assets in alignment with

certain requirements
• Stakeholder Concerns
• Government Regulations
• Proprietary Business Concerns
• Legitimate Data Access Needs

26
Stakeholder Concerns

Stakeholders can be seen as the “ultimate owners” of the data

about them
• The organization then, and those within it, have a duty of
trust to them
• Stakeholders include:
• Clients
• Patients
• Students
• Business Partners
• …Others???

27
Government Regulations

Regulations have impacts here

• They can protect stakeholder interests

• They can require openness,
transparency and accountability

28
Proprietary Business Concerns

• Intellectual Property
• Customer relationship data
• Business partner data

29
 Legitimate Data Access Needs

Security must allow for access to data for

legitimate business purposes
• The business of doing business must
continue
• Various people and roles in organizations
must have controlled access to the data they
need

30
 The Four ‘A’s’ of Data
Security

• Authentication
• Authorisation
• Access
• Audit

31
DSM Activities :

32
1. Understand data security needs
and regulatory requirements
• Business Requirements
• Will determine the ‘rigidity’ required for data security
• Will vary depending on factors such as:
• Industry
• Size
• Location
• Regulatory requirements
• SOX
• CLERP (Corporate Law Economic Reform Program) -> it
sets out the laws for Australian corporations
• Canadian Bill 198
• EU General Data Protection Regulation (GDPR)

33
2. Define data security policy

• High-level policies for access to data assets

• Collaborative effort
• IT security admins
• Data stewards
• Internal and external audit teams
• Legal department
• Compliance should be easier than non-
compliance

34
2. Define data security policy
(continued)
• Separate IT policy and data policy?
• What do you think is best?

35
2. Define data security policy
(continued)
• It is common to have the IT security policy
and Data Security Policy be part of a
combined security policy
• The preference, however, should be to
separate them
• Data security policies are more granular in
nature and take a very data-centric approach
compared to an IT security policy

36
2. Define data security policy
(continued)
• Defining directory structures (the way an
operating system’s file system and its files
are displayed to the user) and an identity
management framework can be the IT
Security Policy component
• Defining the individual application, database
roles, user groups, and password standards
can be part of the Data Security Policy

37
3. Define data security standards

Will address issues such as:

• Tools used to manage data security
• Encryption standards and mechanisms
• Access guidelines for external vendors
and contractors
• Transmission protocols over the internet
• Documentation requirements
• Remote access standards
• Security breach reporting procedures
38
Define data security standards
(Ctd)
Must consider physical security

• Access using mobile

devices/wireless
• Risks of storage on portable devices
• Disposal of these devices in
compliance with records
management
39
Physical security includes disposal
of devices
• In Feb 2010 CBS News in collaboration with “Digital
Copier Security” demonstrated how easy it would be to
purchase a used photocopier loaded with documents.
• 4 machines were purchased based on price and number
of pages printed. The cost was $300 each.
• Here are the findings
• Machine 1: Police files detailing domestic violence and sex crimes
cases.
• Machine 2: Police files from narcotics unit listing targets in drug raid
• Machine 3: Construction company plans, 95 pages of employee data
and $40,000 of cheques
• Machine 4: Medical Records of 300 patients in detail.

40
4. Define data security controls
and procedures
• Generally these will be the
responsibility of security and
database administrators

41
5. Manage users, passwords
and group memberships
• Always better to assign rights and privileges to
groups/roles and then assign users to groups
• Best to limit individual membership to single groups
• Groups should be in a hierarchical structure, children
have more restricted rights than parents

42
Security role hierarchy example
5. Manage users, passwords and
group memberships (cont’d)
• Passwords are the first line of defense
in protecting access to data
• Every user account should be required
to have a password set by the user
with a sufficient level of complexity
defined in the security standards
(‘strong’ passwords)

43
5. Manage users, passwords and
group memberships (cont’d)
• Organizations with enterprise user directories
may have a synchronization mechanism
established between the heterogeneous
resources to ease user password
management.
• the user is required to enter the password only
once, when logging into the workstation, and
then all authentication and authorization is
done through a reference to the enterprise user
directory. An identity management system
implements this capability (‘single sign-on’)

44
6. Manage data access views
and permissions

• Data security management is not

just about preventing inappropriate
access but also about enabling valid
access to the data.

45
 7. Monitor user authentication
and access behavior
Critical!
• Provides information about who is connecting
and accessing information assets (vital for
auditing .. later)
• Alerts security admins to unforeseen situations
• Best done with a mixture of manual and
automated processes
• Suspicious transactions or usage patterns can
then be investigated
• The more confidential or mission critical the
data/system is, the more ‘real-time’ the
monitoring should be 46
 8. Classify information confidentiality
• Organisational data will have varying levels of confidentiality
• Needs to specify and document those levels in a
classification schema, e.g:
• General
• Available to everyone including the general public
• Internal use only
• Limited to employees with limited risk in the event of
disclosure
• May be shown or discussed but not copied outside the
organisation
• Confidential
• Not shared outside the organisation
47
9. Audit data security

• Auditing data security is a recurring control activity.

Responsibility:
• Analyze, Validate, Counsel and Recommend
policies, standards and activities related to data
security management
• Internal or external auditors may perform audits
• Auditors must be independent of the people/roles
responsible for the data, to ensure integrity

48
9. Audit data security (cont’d)

• Auditing is not a faultfinding mission

• Its goal is to provide management and the data
governance council with objective, unbiased
assessments and rational, practical
recommendations

49
9. Audit data security (cont’d)

• Auditing data security includes, among others:

• Analyzing data security policy and standards against best
practices and needs
• Analyzing implementation procedures and actual practices
to ensure consistency with data security goals
• Verifying the organization is in compliance with regulatory
requirements
• Reviewing the reliability and accuracy of data security
audit data
• Evaluating procedures and notification mechanisms in the
event of a data security breach
50
10. Data Security in an outsourced
world

Organisations may choose to outsource

certain IT functions, such as application
development, database administration

51
Outsourced Data Security

What about outsourcing security itself?

This is called security as a service.

This type of security outsourcing, where

security is delivered as a service from
the cloud and without on-premise
hardware, is growing 12% year-on-year.
52
Outsourced Data Security
(cont’d)
• Messaging security is particularly suited. Firstly, e-mail
travels through external gateways anyway. Secondly, e-
mail transmission has variable latency measured in
minutes, so adding an external gateway won't delay
things noticeably.
• Of those companies using some form of security-as-a-
service, 84% used e-mail antispam services. Antivirus
was the second most common with 42% share among
security-as-a-service users.
• Other services include cloud-based firewalls, intrusion-
prevention systems (IPS), protection against distributed
denial of service (DDoS) and vulnerability scanning.
.
53
Outsourced Data Security
(cont’d)
• You can outsource almost anything, but not your
liability
• Any form of outsourcing increases risk to the
organisation, including some loss of control over the
technical environment and the people working with the
organisation’s data
• Data security risk is escalated to include the outsource
vendor, so any data security measures and processes
must now look at the risk from the outsource vendor not
only as an external, but also as an internal risk

54
 Causes of data breaches
• Verizon issues an annual report on data breaches
in collaboration with industry partners and law
enforcement agencies.

• http://www.verizonenterprise.com/DBIR/

55
Attacks usually fall into a few categories :

56
Disclosing data breaches

• Legislation exists in some jurisdictions to

enforce mandatory reporting of data
breaches to authorities as well as affected
individuals. With heavy penalties for non
compliance.

57
 Data breach disclosure in
Australia (1/2)
• In August 2008 the Federal Government released a 2700
page Australian Law Reform Commission (ALRC) report
that recommended 295 changes to privacy laws and
practices in Australia
• Data Breach Notification Guide was released in April
2012. In their words “The central purpose of the Guide is
to urge organisations that hold personal information to
voluntarily put in place reasonable measures to deal with
data breaches”
• Re-emerged as Privacy Alerts Bill 2013

58
 Data breach disclosure in
Australia (2/2)
• The Privacy Alerts Bill 2013 would amend the Privacy Act with
two new provisions:
• “Serious data breach” - which outlines the circumstances in
which an entity would have committed a serious data
breach, and
• “Notifying serious data breaches” - which outlines the
circumstances in which an entity must notify of a serious
data breach and to whom it must do so.
• The Committee recommended an entity be forced to notify
affected customers and the Privacy Commissioner when a
breach of specified personal information occurs that gives rise
to a “real risk of serious harm” to individuals.

59
This Week’s Workshop

Workshop: Read the following articles on the biggest data

breaches in the history of the USA and Australia.
https://www.upguard.com/blog/biggest-data-breaches-us
https://www.upguard.com/blog/biggest-data-breaches-australia
Discuss in your group and with the class how the CIA triangle was
violated through:
a) the Yahoo breach, b) the JP Morgan Chase breach,
c) the Optus breach, d) the Medibank breach, e) the Australian
National University breach
Then read the following article and discuss in your group and with
the class about the World Anti-Doping agency breach and the
implications of data integrity breaches:
https://www.sbs.com.au/sport/article/wada-claims-hackers-may-ha
ve-altered-tue-docs/il9xe3fyh 60