Actions

Data Security

Revision as of 01:27, 19 May 2020 by User (talk | contribs)

Definition of Data Security

Data Security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.[1]

Data security refers to protective digital privacy measures that are applied to prevent unauthorized access to computers, databases and websites. Data security also protects data from corruption. Data security is an essential aspect of IT for organizations of every size and type. Data security is also known as information security (IS) or computer security.[2]



Why Data Security?[3]

Organizations around the globe are investing heavily in information technology (IT) cyber defense capabilities to protect their critical assets. Whether an enterprise needs to protect a brand, intellectual capital, and customer information or provide controls for critical infrastructure, the means for incident detection and response to protecting organizational interests have three common elements: people, processes, and technology.


Ensuring Data Security[4]

While data security isn’t a panacea, you can take several steps to ensure data security. Here are a few that we recommend.

  • Quarantine Sensitive Files: A rookie data management error is placing a sensitive file on a share open to the entire company. Quickly get control of your data with data security software that continually classifies sensitive data and moves data to a secure location.
  • Track User Behavior against Data Groups: The general term plaguing rights management within an organization is “overpermissioning’. That temporary project or rights granted on the network rapidly becomes a convoluted web of interdependencies that result in users collectively having access to far more data on the network than they need for their role. Limit a user’s damage with data security software that profiles user behavior and automatically puts in place permissions to match that behavior.
  • Respect Data Privacy: Data Privacy is a distinct aspect of cybersecurity dealing with the rights of individuals and the proper handling of data under your control.


Data Security Compliance and Standards[5]

When an organization collects any kind of personal data, it instantly becomes known as a data processor. This label comes with a lot of responsibility. For this reason, there are a number of compliance regulations that govern organizations dealing in personal data regardless of the type or volume. The regulations that affect your organization will depend on a selection of factors, such as the industry you are operating in and the type of data you store. For example, if you store data relating to citizens in the European Union (EU) you will need to comply with the latest GDPR regulations. Failure to comply with any regulations that affect your organization could result in hefty fines. Other regulatory compliance and standards examples include:

  • NERC - Critical Infrastructure Protection
  • China's Personal Information Security Specification
  • PCI Security Standards

Regulatory compliance requirements often vary by data type. A few common examples include:

  • Personally Identifiable Information (PII)
  • Protected Healthcare Information (PHI, HIPAA)
  • Credit card information


Data Security Best Practices[6]

There are many parts to a comprehensive data-security solution. Below is an overview of what should come together to create a good foundation for data security. What a best practice looks like for your business will depend on many factors, such as size, industry, location, and existing tools and policies.

  • Securing information
    • Manage your identity by restricting access to sensitive documents. Sometimes called data classification, managing who can see what based on their user ID is a great way to keep sensitive information restricted to only those who need to see it. This limits the amount of damage that can be done if someone's username or login details are stolen. Companies should be set up to handle different permissions based on the user, and this is a key point in a good data-security policy.
    • Encryption is one of the best tools that we have to keep data safe, but it isn't a monolith. You can't just decide to encrypt all of your data and call it a day — that's not exactly how it works. Often, software tools that you use for your business will have some sort of encryption offered, and that's a great place to start. Your information-backup service, for example, should be able to encrypt that data for you. You should also make sure you encrypt transmissions to add another layer of security onto any information you send. Think of encryption as taking your plain data and turning it into a secret code that only you can make heads or tails of — not the bad guys.
    • Be prepared for the mobile workforce. As mobile devices take over the workplace, your security threats grow. You need a mobile security plan to keep everyone in line. This should include an enforced protocol for employees, like staying off public Wi-Fi on work devices and having a company-mandated antivirus on mobile devices.
    • Protect user data at the source. When customers and employees log in for the first time (or repeated times), you can verify and secure their information with secure authentication practices like social login. This not only simplifies the process and reduces the risk of churn, but it also helps organize all of this sensitive data in a single location instead of in multiple databases and spreadsheets that can easily be lost.
  • Preparing for Threats
    • Test how good your system is. The best defense is a good offense, and the best offense in secure data recovery is working to ensure you don't lose your data in the first place. Either create an internal team to stress-test your system, or find someone outside your company to do it, but don't leave your security to chance.
    • Educate your employees. Common data-security attacks like spear-phishing emails and USB traps target employees who are unaware of the risks and have let their guard down. Circulating everyday tips on Security or implementing an executive training program can go a long way toward mitigating these risks.
    • Have an incident-management plan. When you find out that your company's security has been compromised, the last thing you want to do is panic. Having a comprehensive protocol can limit the damage done. Yes, IT needs to be aware of what to do, but you should also create guidelines for management, letting employees know, and next steps for recovery.
    • Make a secure data recovery plan in case of corruption or the unhappy scenario where something you need has been deleted or compromised. For many teams, this means having a backup copy of data that is regularly updated. The backup itself will have to be protected and should also be separate from the rest of your data.
  • Deleting information
    • Know how and when to let go. When it's time to get rid of information, you need to know how to dispose of it properly. When you have to throw out sensitive information on paper, you shred it. You cut up your credit cards and write "VOID" on checks before disposing of them. Digital data is no different. Make sure that when you're wiping information, it's really gone and not lingering somewhere that will come back to bite you.
    • Don't forget physical copies. If any of your backups are on paper, are stored on a thumb drive, are X-rays or microfilm or negatives — or anything else that's physical and totally separate from your digital systems — don't forget about them. When you're deleting digital information, make sure that part of the process is double-checking to see whether that information has a physical counterpart and, if so, destroying it in kind.
  • Compliance risks (check)
    • There are rules and regulations that govern what you should and cannot do with your business's data, and they can help lower your risks. Especially if you are dealing with sensitive information, looking toward these laws and guidelines will help give you a better sense of what is appropriate for your company. For example, it's likely that companies in the medical field are required to follow HIPAA requirements.
    • You can also reduce compliance risks by following open standards. Take identity management, which has guidelines that are available for everyone to follow, with the explicit purpose of being as safe and responsible as possible.
    • Of course, everyone is talking about the GDPR and related laws like the California Consumer Privacy Act(CCPA). These points for data privacy and sharing will help broaden and deepen your existing protocol.
    • To ensure that you are exposed to the least risk possible, be thorough in your investigation of the laws that apply to your company and the best practices that have developed in your field or for your concerns. This will depend heavily on industry and location, but it needs to be done correctly to ensure that your data security is as good as possible.


See Also

Data Access
Data Analysis
Data Analytics
Data Architecture
Data Asset Framework (DAF)
Data Buffer
Data Center
Data Center Infrastructure
Data Center Infrastructure Management (DCIM)
Data Cleansing
Data Collection
Data Compatibility
Data Consolidation
Data Deduplication
Data Delivery Platform (DDP)
Data Description (Definition) Language (DDL)
Data Dictionary
Data Discovery
Data Driven Organization
Data Element
Data Enrichment
Data Entry
Data Federation
Data Flow Diagram
Data Governance
Data Health Check
Data Hierarchy
Data Independence
Data Integration
Data Integration Framework (DIF)
Data Integrity
Data Island
Data Item
Data Lake
Data Life Cycle
Data Lineage
Data Loss Prevention (DLP)
Data Management
Data Migration
Data Minimization
Data Mining
Data Model
Data Modeling
Data Monitoring
Data Munging
Data Portability
Data Preparation
Data Presentation Architecture
Data Processing
Data Profiling
Data Proliferation
Data Propagation
Data Protection Act
Data Prototyping
Data Quality
Data Quality Assessment (DQA)
Data Quality Dimension
Data Quality Standard
Data Reconciliation
Data Reference Model (DRM)
Data Science
Data Security
Data Stewardship
Data Structure
Data Structure Diagram
Data Suppression
Data Transformation
Data Validation
Data Value Chain
Data Vault Modeling
Data Virtualization
Data Visualization
Data Warehouse
Data Wrangling
Data and Information Reference Model (DRM)
Data as a Service (DaaS)
Database (DB)
Database Design
Database Design Methodology
Database Management System (DBMS)
Database Marketing
Database Schema
Database System
Security Architecture
Security Policy
Security Reference Model (SRM)
Information Security Governance
Information Security
Adaptive Security Architecture (ASA)
Business Model for Information Security (BMIS)
Cognitive Security
Common Data Security Architecture (CDSA)
Federal Information Security Management Act (FISMA)
Payment Card Industry Data Security Standard (PCI DSS)
Data Security
Computer Security
Enterprise Information Security Architecture (EISA)
Fault Configuration Accounting Performance Security (FCAPS)
Graduated Security
Information Systems Security (INFOSEC)
Information Security Management System (ISMS)
Information Technology Security Assessment
Mobile Security
Network Security
Cyber Security


References

  1. Definition - What Does Data Security Mean? Wikipedia
  2. What is Data Security? Techopedia
  3. Why Data Security? Microfocus
  4. How Do You Ensure Data Security? Varonis
  5. Data Security Compliance and Standards ForcePoint
  6. What Are Best Practices for Data Security? Auth0