Data Security Flashcards
Masking/ encryption will
render the data unreadable without the keys
13 guiding priciples of data security
- responsible trustee of data
- comply with regulations
- Use CRUD matrices to help map data access needs
- data security policy should be updated and approved by the data governance council (DGSC)
5.identify application security requirements on projects - classify all enterprise data for confidentiality
- Passwords show follow complexity guidlines
- security role groups
- request, track and approve all user and group authorisations
- centrally manage user identity data and group membership data
- use views or partitions to restrict access to sensitive columns or specific views
- strictly limit and consider every use of share or service user accounts
- monitor data access activity to understand trends
Classifications of data
PII, business critical financially critical
Password best practise
3/4 random words
Goldilocks Principle
balance must be met based on the damage/harm that could be caused
Four sources of data security requirements
- business needs
- government regulations
- stakeholder concerns
- legitimate business concerns
Security control legislation EU
Security control legislation EU
- EU GDPR
- BASEL II and Solvency II
- BCBS 239 Basel committee
- PCI-DSS
Security control legislation US
- HIPAA
- Sarbanes-Oxley Act
- CCPA
- CPRA
Four As
Authentication
Authorisation
Access
Audit
Sarbanes-Oxley Act
prevents unauthorised modification of financial transactions
Solvency II
Protecting lineage of data feeding risk models
Active Audit
Parsing instructions and data before its returned to the user
Passive Audit
Looking what has happened
CCPA
statute to enhance privacy right and consumer protection (california)
ISO standards
set out critical requirements for information secuirty standard in an organisation
ISO/IEC 29100
about the technology e.g. firewalls
ISO/IEC 27001
how to manage information security
ISO/IEC 27701
extension of 27001 relating to GDPR
Standards should influence
- access control
- use of devices
- disposal processes
CIA
confidentiality, integrity, availability
CIA Integrity
preventing undetectable modification of information