Major Categories for Security Controls
There are six major categories for security controls, as follows:
• Operational: Rules and procedures to protect systems and applications
• Administrative: Admin controls in terms of actions, policies, and procedures to enforce standards.
• Architecture level: Security control is interconnected between systems.
• Software level: Putting security controls at software level
• Active control: Putting controls to respond to incidents when they happen
• Proactive control: Controls to spot active threats
Data Security in Outsourcing Mode
In modern times, outsourcing is common for development, maintenance, and even security administration. Outsourcing led to additional data security challenges and responsibilities across the world. Keep in mind that companies share responsibilities; control mechanisms are transferred, but not responsibilities and liabilities. These tighter risks are managed by the following:
• Clauses in outsourcing contract: Limited liability mechanism provisions; service-level agreements; right to audit; and clear, precise, and pre-defined consequences for breaching these provisions.
• Monitoring and controls: Frequent and detailed data security auditing and lineage; monitoring of vendors’ system activities; tracking the lineage, chain of custody, and flow of data across systems; constant communication with the service vendor and having data security reports from the vendor; controlling unauthorized access to your organization’s data; and clarity in RACI matrix (Responsibility, accountability, consulted and informed) for all roles vendors and geographies to make sure what action would be taken by whom in case of realization of an event.
Guiding Principles
The following are some of the guiding principles for security management at the data layer:
• Collaboration: Data security is managed by the IT security team, along with IT stewards. It is governed by, collaborated with, and directed by multiple stakeholders, from the data governance council and committee members, to business stewards, internal and external audit teams, and legal department. Data security policies should be reviewed collaboratively and approved by the data governance council.
• Enterprise-level approach: Standards, policies, and procedures must be designed and applied consistently across the entire organization.
• Clear accountabilities: There should be clarity in roles, ownerships, and responsibilities across enterprises, including customers, suppliers, and business partners.
• Metadata-driven: Data security is driven by metadata. Having classification for data elements is an essential part of data definitions and business definitions. Security of the data layer can be achieved by putting in multiple controls, like version control, access control, identity roles management, groups management, password management, data and group membership management, etc.
• Proactive management: Being a step ahead in data security management is critical. Additionally, regular engagement with stakeholders, managing organization, and cultural change is essential. Regularly monitoring the servers and systems for the flow of information is helpful.
• Reduce exposure: Minimize sensitive/confidential data in all layers of security.