Eduvos (Pty) Ltd (formerly Pearson Institute of Higher Education) is registered

with the Department of Higher Education and Training as a private higher

education institution under the Higher Education Act, 101, of 1997. Registration
Certificate number: 2001/HE07/008.
Date: Monday, 20 May 2024, 8:40 AM

ITDSA2-12 (2024)
1.1. Notes [ ± 60 min ]

1. Learning outcomes

By the end of this lesson, you should be able to:

Define the role of data as a corporate asset and the responsibilities of a database administrator.
Analyse security measures, database administration tools, and data administration strategy
development.
Evaluate the role of a database administrator in cloud environments using specific database
management systems.
Prescribed Reading
Carlos Coronel and Steven Morris. 2023. Database Systems: Design, Implementation,
& Management. 14th ed. Cengage Learning. Print ISBN: 9780357673034,
0357673034, eText ISBN 9780357673096, 0357673093
Chapter 16 (Textbook)
Page 715 – 760

Open book in new window

Not signed in? Click here and then refresh this page.
 Sign in to Kortext

email Your email address

Next

Don't have an account? Sign up

2. Database Security and Administration

Database security is the mechanisms that protect the database against intentional or accidental threats.
Database security is concerned with avoiding the following situations: theft and fraud, loss of
confidentiality (secrecy), loss of privacy, loss of integrity, and loss of availability.
A threat is any situation or event, whether intentional or accidental, that will adversely affect a system
and consequently an organization.
Computer-based security controls for the multi-user environment include authorization, access controls,
views, backup and recovery, integrity, encryption, and RAID technology.
Authorization is the granting of a right or privilege that enables a subject to have legitimate access to a
system or a system’s object. Authentication is a mechanism that determines whether a user is who he or
she claims to be.
Backup is the process of periodically taking a copy of the database and log file (and possibly programs)
on to offline storage media. Journaling is the process of keeping and maintaining a log file (or journal) of
all changes made to the database to enable recovery to be undertaken effectively in the event of a failure.
Integrity constraints also contribute to maintaining a secure database system by preventing data from
becoming invalid, and hence giving misleading or incorrect results.
Encryption is the encoding of the data by a special algorithm that renders the data unreadable by any
program without the decryption key.
Cloud computing is the use of computing software or hardware resources that are delivered over a
network and accessed typically from a Web browser or mobile application.
Impact of Data Quality on Company Assets and Competitive Position:
Data quality refers to the accuracy, completeness, consistency, relevance, and timeliness of data.
Poor data quality can negatively impact a company's assets and competitive position in several ways,
such as:
Inaccurate data can lead to wrong decisions and actions, which can result in financial losses and
damage to reputation.
Incomplete data can cause missed opportunities and hinder innovation and growth.
Inconsistent data can lead to confusion and conflicts among different stakeholders.
Irrelevant data can waste resources and distract from essential insights.
Untimely data can cause delays and missed deadlines, resulting in lost opportunities and customer
dissatisfaction.
On the other hand, high-quality data can provide a competitive advantage by enabling better decision-
making, innovation, customer satisfaction, and cost-effectiveness.

Role of Database in Supporting Operational, Tactical, and Strategic Decision-Making:

A database is a collection of related data that is organized and managed for easy access and retrieval.
Databases support decision-making at different levels of an organization, such as:
Operational decision-making involves routine tasks and activities that support day-to-day business
operations, such as sales, inventory, and customer service. Databases can support operational
decision-making by providing real-time data, automated workflows, and transaction processing.
Tactical decision-making involves short-term planning and resource allocation to achieve specific
goals, such as marketing campaigns, budgeting, and production planning. Databases can support
tactical decision-making by providing historical data, trend analysis, and forecasting.
 Strategic decision-making involves long-term planning and direction-setting for the organization,
such as mergers and acquisitions, market entry, and innovation. Databases can support strategic
decision-making by providing market intelligence, competitive analysis, and performance metrics.
Impact of DBMS Introduction on Technological, Managerial, and Cultural Aspects of an Organization:
A Database Management System (DBMS) is a software system that manages the storage, retrieval, and
manipulation of data in a database.
The introduction of a DBMS can have several impacts on the technological, managerial, and cultural
aspects of an organization, such as:
Technological impact: DBMS can improve data accessibility, security, and integrity, automate tasks,
reduce redundancy and inconsistency, and enable scalability and interoperability. However, it can also
require significant investments in hardware, software, and training, and may face compatibility issues
with existing systems.
Managerial impact: DBMS can enhance decision-making, increase efficiency and productivity, improve
collaboration and communication, and enable better resource allocation and risk management.
However, it can also require changes in organizational structure, roles, and responsibilities, and may
face resistance from employees who are not familiar with the technology.
Cultural impact: DBMS can foster a data-driven culture that values accuracy, transparency, and
accountability, and encourages innovation and continuous improvement. However, it can also
challenge existing norms, beliefs, and practices, and may require changes in attitudes, behaviors, and
incentives.

2.1. Potential threats to database security

There are various types of threats that adversely affect the database system. Threats are classified into
two categories, namely, accidental and malicious (or intentional) threats.
Accidental threats
Due to any system error, a user can get access to the portion of the database that should not
be accessible to him/her.
Improper authorization can be accidentally assigned to a user by the authorizer, which could lead to
security violations.
Failure of the memory protection hardware could result in diversified response from the database.
 Concurrent usage of the database could lead to database inconsistency, if a proper
synchronization mechanism is not implemented.
Malicious or intentional threats
Hackers can get into the system parts that they are not authorized to access. They could
then intentionally update or even delete the secret and precious information from the database.
Authorized user of an organization could give valuable information to the competitors for
personal gain.
Programmers and/or developers of database development team could easily access database
files, although not authorized to do so, and can update the data.

Stolen Laptops
Forgetful or careless laptop owners whose equipment is taken expose data on that laptop to persons not
authorized to have access to the data. This can also happen if a laptop is replaced and the hard drive on
the original machine is not properly erased or destroyed.

Weak Authentication
A legitimate database user typically is required to submit an ID and password in order to gain access to a
protected database. Authentication is the process (internal to the database program itself) by which the
credentials of the user are verified and access may be granted. If the process of authentication is weak,
an attacker can assume the identity of a legitimate user by stealing or obtaining login credentials.
Credentials may be illegitimately obtained by various means:
Credential theft. The attacker accesses password files or finds a paper on which the legitimate user
has written down the ID and password.
Social engineering. The attacker deceives someone into providing the login ID and password by posing
as a supervisor, IT maintenance personnel, or other authority.
Brute-force attacks.

Theft of Database Backup Tapes or Hard Drives

Database backups typically do not have the same security measures in place that the primary database
employs. These backups may not be encrypted, and the media on which backups are stored are also
unprotected. Theft of the backup media may allow the attacker full access to the data stored within the
backup.
2.2. Risk Assessments

In the business environment, it is critical that a thorough risk assessment takes place and be periodically
reviewed. The assessment should address:
who has access to what data
the circumstances under which access to the database may need to change
who maintains the passwords needed to access the database
who uses the company's computers for access to the internet, e-mail programs, etc., and how
employees access those resources
what type of firewalls and anti-malware solutions to put in place
the training of the staff
who has responsibility for enforcement procedures related to data security

2.3. Countermeasures to database threats

Countermeasures range from the physical controls to the administrative controls. Security of Database
Management System (DBMS) is as good as security of an operating system running DBMS.
We consider the following computer-based security controls in a multiuser environment
Authorization and authentication
Access control- By restricting access of users who have been granted access to information, thereby
results in monitoring who all have access to a particular data. Therefore, in cases of data theft, sifting
through the timelines of access granted to users can be easier to track down the culprit.
Data encryption- Data when kept unencrypted leads to misuse of personal data by cybercriminals.
Therefore, data has to be encrypted by usage of unique encryption codes, so as to avoid leakage of
vital information stored in databases. When data has been encrypted and only the user has access to
such a data has the decryption code, results in prevention of data theft.
Email security-It is a form of procedure to protect an email account and the contents on an email
account from unauthorised access. Therefore, measures like strong email passwords, end-to-end
encryption of emails or messages that are sent from one person to another result in prevention of
misuse of data, as emails are a popular forum for hackers to spread malware, spam and phishing
attacks. For example- end-to-end encryption used by WhatsApp.
Risk-assessment analysis- Organizations have to take a proactive approach while dealing with
information security concerns. The main of conducting a risk assessment is to identify the risks
pertaining to information stored in an organizations system. By conducting risk assessment analysis,
an organization can understand and assess internal and external risks to their security, confidentiality
and personal information stored in various storage media like laptops and portable devices.
Monitor effectiveness- It is critical for an organization to verify security programs established and to
establish if such security programs manage cyber security measures implemented for safeguarding an
organization’s information or data. This is done through regular tests and monitoring of information
security programs annually or quarterly helps to assess the number of attacks made to an
organizations data.
Strong firewall- Firewall of a system is part of such system’s cyber security measure. A firewall enables
to protect a system from internet traffic and services it is exposed to. These services are accessed by
everyone who uses an internet. Therefore, firewalls enable to control who gains access to an
organization’s system like insider attacks which may originate from within a network used by an
organization. Antiviruses are for files and firewalls are needed to protect from unauthorised access or
usage of network. A firewall simply helps to control Internet traffic that is generated by using a
network for work.
Antivirus protection- An antivirus protection can be gained in the form of antivirus software. This
software is a program designed to avoid, detect and deal with cyber security threats that an
organization may face. The process of an antivirus is to run background scans on a system to detect
and restrict unauthorised access in the forms of malware and to protect a system from vulnerabilities it
may face. These solutions are extremely important for data security and must be installed on computer
systems. These antivirus protections are available not only for laptops and computers but also for
mobile devices and help to fight unwanted threats to files and data.
Back-up regularly- A data security is meant for protecting information stored on a system from
unauthorised access, destruction of such information and includes network security. Therefore, to
avoid loss of data, data should be regularly stored and kept somewhere safe where it cannot be
accessed or violated by anyone. Further, the securing of such data helps in preventing accidental
modification to data, theft of data, breach of confidentiality agreements and avoid release of data
prior to its verification and authentication.
2.4. Database Administrator and its roles
A Database Administrator (DBA) is a professional who is responsible for designing, implementing,
maintaining, and securing a database system(s) of an organization through the use of either application
software or existing systems. The DBA must have an extensive understanding of database queries,
theories, server systems, and computing skills in order to work successfully for a company.
The managerial roles of a DBA include:
Planning and designing the database system to meet the organization's needs and objectives.
Monitoring and optimizing the database system's performance and resource utilization.
Ensuring data security, privacy, and compliance with legal and regulatory requirements.
Managing the database system's users, access, and permissions, and enforcing data quality standards.
Coordinating with other IT and business units to integrate the database system with other systems
and applications.
The technical roles of a DBA include:
Installing, configuring, and upgrading the database software and related tools.
Creating, modifying, and deleting database objects, such as tables, indexes, and views.
Backing up and restoring the database and implementing disaster recovery plans.
Troubleshooting and resolving technical issues, such as performance bottlenecks, data corruption, and
system crashes.
Writing and optimizing queries and scripts to extract, transform, and load data.
Maintaining documentation, logs, and reports to track the database system's activities and
performance.
Overall, the DBA plays a critical role in ensuring the database system's availability, reliability, security, and
performance, and enabling the organization to leverage its data as a strategic asset.

3. Access Control
 Access control refers to the mechanisms and policies put in
place to regulate who can access what data within a database
system and what actions they can perform on that data. Access
control ensures that only authorized users or processes are
granted access to the database, thereby protecting sensitive
information from unauthorized access, modification, or
disclosure. A typical way to control access to a database
system is based on granting and revoking privileges. A privilege
allows a user to create, to drop, or to access in read or
write mode some database objects like relational tables,
relational views, index, etc or to perform certain operations.
The privileges are granted to a user to accomplish their
task. The excessive privileges can compromise security. A user
who creates a database object becomes an owner of the
object and he/she automatically gets all privileges on the
object. The DBMS keeps track of all granted privileges to
ensure that only selected user can access and can perform
operations on the database objects.

3.1. Authentication and Authorization

The goal of database security is to ensure that only authorized

users can perform authorized activities at authorized
times. These security requirements can then be enforced using
the security features of the DBMS. The goal is usually broken
into two parts: authentication, which makes sure the user has
the basic right to use the system in the first place,
and authorization, which assigns the authenticated user
specific rights or permissions to do specific activities on the
system. For example, a person who can supply a particular
password may be authorized to read any record in a database
but cannot necessarily modify any of those records. As shown
in Figure 1, user authentication is achieved by requiring the
user to log in to the system with a password (or other means of
positive identification, such as a biometric scan of a
fingerprint), whereas user authorization is achieved by granting
DBMS-specific permissions.

Figure 1: Database Security Authentication and Authorization

Definition of Distinctive Terms

1. PRIVILEGES: Privileges are the right to execute particular
SQL statements. The database administrator (DBA) is a high-
level user with the ability to grant users access to the database
and its objects. The users require system privileges to gain
access to the database and object privileges to manipulate the
content of the objects in the database. Users can also be given
the privilege to grant additional privileges to other users or to
roles, which are named groups of related privileges. DBA's
generally allocate system privileges; any user who owns an
object can grant object privileges.
2. SCHEMA: A schema is a collection of objects, such as
tables, views, and sequences. The schema is owned by a
database user and has the same name as that user. In this
course, your schema name is a combination of your
city, state/country, your school name, course name and student
number. Database security can be classified into two
categories: system security and data security.
3. SYSTEM SECURITY: This level of security covers access and
use of the database at the system level. There are more than
100 distinct system privileges. The system level privileges such
the ability to create or remove users, remove tables or backup
tables, the disk space allocated to users, and the system
operations that users can perform, is the job of the DBA.
3.2. Authentication Schemes

Authentication verifies the identity of users or processes

attempting to access the database. This process ensures that
only legitimate users with valid credentials (e.g., username and
password) are granted access. Authentication methods can
include passwords, biometrics, multi-factor authentication
(MFA), certificates, etc. In DBMS platform, a user can prove his
or her identity by supplying one or more of the following
factors:
1. Something the user knows, usually a password or personal
identification number (PIN).
2. Something the user possesses, such as a smart card or
token.
3. Some unique personal characteristic, such as a fingerprint
or retinal scan.
Authentication schemes are called one-factor, two-factor, or
three-factor authentication, depending on how many of these
factors are employed. Authentication becomes stronger as
more factors are used.

PASSWORDS: The password is a one-factor authentication

scheme used to validate valid users of a DBMS. With such a
scheme, anyone who can supply a valid password can log on to
a database system. (A user ID may also be required, but user
IDs are typically not secured.) A DBA (or perhaps a system
administrator) is responsible for managing schemes for issuing
or creating passwords for the DBMS and/or specific
applications.
STRONG AUTHENTICATION:
Two-factor authentication schemes require two of the three
factors: something the user has (usually a card or token) and
something the user knows (usually a PIN). This scheme is much
more secure than using only passwords because (barring
carelessness) it is quite difficult for an unauthorized person to
obtain both factors at the same time.
Three-factor authentication is normally implemented with a
high-tech card called a smart card (or smart badge). A smart
card is a credit card–sized plastic card with an embedded
microprocessor chip that can store, process, and output
electronic data in a secure manner. Using smart cards can be a
very strong means to authenticate a database user. In addition,
smart cards can themselves be database storage devices and
can store several gigabytes of data. Smart cards can provide
secure storage of personal data, such as medical records or a
summary of medications taken.
Creating and Managing User Accounts
One of the most basic administrative requirements for a
database is to identify the users. Each user who connects to
your database should have an account.
1. Password Authenticated Users
When a user with password authentication attempts to
connect to the database, the database verifies that the
username is a valid database account and that the password
supplied matches that user’s password as stored in the
database. Password authenticated user accounts are the most
common and are sometimes referred to as database
authenticated accounts. With a password authenticated
account, the database stores the encrypted password in the
data dictionary. For example, to create a password
authenticated user named User_1 with a password
of welcome, you execute the following:
CREATE USER User_1 IDENTIFIED BY welcome;
The keywords IDENTIFIED BY password (in this
case, password is welcome) tell the database that this user
account is a password authenticated account.
 2. Externally Authenticated Users
When an externally identified user attempts to connect to the
database, the database verifies that the username is a valid
database account and trusts that the operating system has
performed authentication. Externally authenticated user
accounts do not store or validate a password in the
database. For example, to create an externally authenticated
user named oracle, using the default OS_AUTHENT_PREFIX,
you execute the following:
CREATE USER ops$oracle IDENTIFIED EXTERNALLY;
The keywords IDENTIFIED EXTERNALLY tell the database that
this user account is an externally authenticated account.

3.3. Authorization

Authorization determines what actions an authenticated user

or process is allowed to perform within the database. It
involves assigning permissions or privileges to users based on
their roles, responsibilities, or specific access rights.
Authorization controls access at a granular level, specifying
which users can read, write, modify, or delete data, as well as
which database objects they can access (e.g., tables, views,
stored procedures).
Authentication (when the user logs in to the system) by itself is
not sufficient for use of the database—unless the user has
been granted permissions, he or she cannot access the
database or take any actions that use it. Permissions can be
managed using SQL Data Control Language (DCL) statements:
1. The GRANT statement is used to assign permissions to
users and groups, so that the users or groups can perform
various operations on the data in the database.
2. The REVOKE statement is used to take existing permissions
away from users and groups.

Granting and Revoking of Privileges

Privileges allow a user to access database objects or execute
stored programs that are owned by another user. Privileges
also enable a user to perform system-level operations, such as
connecting to the database, creating a table, or altering the
database. Normally, only selected persons in data
administration have authority to access and modify these
tables. For example, in Oracle, the privileges included in Table 1
can be granted to users at the database level or table level.
INSERT and UPDATE can be granted at the column level. Where
many users, such as those in a particular job classification,
need similar privileges, roles may be created that contain a set
of privileges, and then all the privileges can be granted to a
user simply by granting the role. In Oracle DMBS, there are
three types of privileges which are discussed below:
1. Object privileges: Permissions on schema objects such as
tables, views, sequences, procedures, and packages. To use a
schema object owned by another user, you need privileges on
that object.
2. System privileges: Permissions on database-level
operations, such as connecting to the database, creating users,
altering the database, or consuming unlimited amounts of
tablespace.
3. Role privileges: Object and system privileges that a user
has by way of a role. Roles are tools for administering groups of
privileges.
We will focus on the basic Object and Role privileges as other
privileges are beyond the scope of this module.

Table 1: Basic Object and Role Privileges

PrivilegeCapability
SELECT Query the object
INSERT Insert records into the table/view. Can be given
for specific columns.
UPDATE Update records in table/view. Can be given for
specific columns.
DELETE Delete records from table/view.
ALTER Alter the table.
INDEX Create indexes on the table.
REFERENCESCreate foreign keys that reference the table.
EXECUTE Execute the procedure, package, or function.

The basic form of this statement is:

GRANT <privilege list>
ON <relation name or view name>
TO <user/role list>;
The privilege list allows the granting of several privileges in one
command. To grant the ability to read the product table and
update prices to a user with the log in ID of User_1, the
following SQL command may be given:
GRANT SELECT, UPDATE (UnitPrice) ON Product TO User_1;
And to give display access to multiple users on customer table,
we issue the command:
GRANT SELECT ON Customer TO User_1, User_2;
 Similarly, we can revoke privilege permission or rights from a
particular user(s). The can be performed by issuing the
following command:
REVOKE <privilege list>
ON <relation name or view name>
FROM <user/role list>;

Thus, to revoke the privileges that we granted previously, we

write:
REVOKE SELECT, UPDATE (UnitPrice) ON Product
FROM User_1;
And REVOKE access FROM multiple users on customer table,
we issue the command:
REVOKE SELECT ON Customer
FROM User_1, User_2;

3.4. Encryption

Encryption involves the process of converting sensitive data

into a ciphertext format using cryptographic algorithms. This
ciphertext is unreadable without the corresponding decryption
key, thereby protecting the confidentiality of the data stored in
the database. Encryption is an essential mechanism for
safeguarding sensitive information from unauthorized access,
interception, and tampering.
 Encryption requires a cipher system, which consists of the
following components:
An encrypting algorithm, which takes the normal text
(plaintext) as input, performs some operations on it, and
produces the encrypted text (ciphertext ) as output
An encryption key, which is part of the input for the
encrypting algorithm and is chosen from a very large set of
possible keys
A decrypting algorithm, which operates on the ciphertext
as input and produces the plaintext as output
A decryption key, which is part of the input for the
decrypting algorithm and is chosen from a very large set of
possible keys

3.5. Roles and Role Privileges

A role is a set of access rights (privileges) usually group

together and assign to one or more database users instead of
granting these privileges to each user individually. It is a named
group of related privileges that can be granted to the user by
using the CREATE ROLE statement.
Privileges can be granted to a role, and then that role can be
granted to other roles and users. Once the roles are
created, authorizations can be granted on the roles to the
database users either individually or as a group depending on
the activities expected to be carried out on the DBMS. This
method makes it easier to revoke and maintain privileges.
A general syntax pf creating a ROLE is as follows:
GRANT <object privilege> [(<column 1>, <column 2>,
<column n>)]
ON <object>
FROM {<user 1>[, <user 2>, <user n>] | <role> | [PUBLIC]}
[WITH GRANT OPTION]

In SQL, the procedure to create roles are highlighted as follows:

CREATE ROLE EmployeeRole;
After a role is created, a set of privileges will then be assigned
as follows:
GRANT SELECT ON Product
to EmployeeRole;

Roles can be granted to users, as well as to other roles, as

these statements show:
GRANT EmployeeRole to User_1, User_2;
This implies that ALL privileges assigned to EmployeeRole role
would be automatically passed (inherited) to User_1 and
User_2.
Enabling Roles
Roles can be enable or disabled selectively in each database
session. If you have two concurrent sessions, the roles in effect
for each session can be different. For example, to enable the
role "Role_Name", execute the following:
SET ROLE Role_Name;

Disabling Roles
Roles can be disabled in a database session either en masse or
by exception. Use the SET ROLE NONE statement to disable all
roles. Use the SET ROLE ALL EXCEPT role_list statement
 to enable all roles except those in the comma-delimited
role_list.
There is no way to selectively disable a single role. Also, you
cannot disable roles that you inherit by way of another role
without disabling the parent role.

Revoking A Role
A ROLE can be removed from a user (a database object) by
using the REVOKE keyword and following the format below:
REVOKE {<role_Name>}
ON <object or table_name>
FROM {<user 1>[, <user 2>, <user n>] }

3.6. Measures of protecting personal identifiable

information and unauthorized access

Protecting databases and the data contained within can be a

costly and all-consuming activities. Here are a few rules of
thumb that you can implement:
Do not leave a slip with a list of passwords
Keep your under your computer, or anywhere where it
passwords to can be viewed or taken by someone. Just
yourself. giving your password to a friend is not a
good idea, either.
 Remembering multiple passwords can be a
challenge, and it’s often convenient to use
Use different the same password for multiple accounts,
passwords for ranging from Facebook and your bank
account to your Twitter page. The danger
different here is that a compromise of any one of
accounts. these accounts could also result in the
compromise of others if the same password
is used for multiple accounts.
Many of your user IDs must have strong
Use strong passwords to gain entry into one or more
passwords. systems. In those instances when you can
choose any password configuration, pick a
strong password to protect your information.
Sometimes people don’t learn that they’re
victims of identity theft until their credit
rating and identity are destroyed. It’s
Check your proactive to get copies of your credit reports
credit reports from the credit bureaus and carefully review
them for any errors. Be sure to follow-up
annually. with the credit bureaus to make any
corrections to your reports, if needed. By law,
you can get one free credit report from each
of the three credit bureaus every year.
Enter your own name in Google, Yahoo or
other search engine and see what data
Google yourself. comes up. Investigate any postings about
yourself in the information that you find.
Look for any suggestions that your PII may
be compromised.
Remember that No matter how secure you make your
people can be a passwords and how careful you are with your
very weak link technology, there is always a human element
in security. to protecting your information.
 It’s important not leave laptops and other
mobile devices unattended in public
Control physical locations, like a coffee shop or other location
access to your with free WiFi. An unattended machine is at
risk, for both theft and other security threats.
devices. When you aren't controlling physical access
to your machine, you shouldn’t let it out of
your sight.
Remember to Whether it’s your email, bank account, retail
logout of a store shopping account or library account,
website when always remember to logout when you leave
you are finished the website.
using it.
Remember to By requiring a password to access your
lock your
computer with a computer (or other electronic device) you are
password when protecting your information. You are also
you are finished making your computer useless to a thief who
cannot break password locks.
using it.

3.7. Security management

Security management means minimizing the interruption of

business activities and reducing the vulnerability to various
attacks. Security bargains with distinctive trust aspects
of information.
Security is not just restricted to computer systems; it applies to
all perspectives of securing data or information, in whatever
structure. Security is accomplished utilizing a
few methodologies at the same time or utilized in blend with
one another.
There are six principles of security management:-
1. Availability- The continuous accessibility of systems tends
to procedures, policies and controls which are used to ensure
prompt access to data for authorized customers. This purpose
secures against deliberate or inadvertent endeavours to refute
legitimate costumers’ access to data.
2. Integrity of data or systems- System and data integrity is
linked to the procedures, policies and controls which are used
to guarantee that data has not been modified in
an unconstitutional way and that systems are liberated from
illicit manipulation that would compromise precision,
comprehensiveness and consistency.
3. Confidentiality of data or systems- Confidentiality covers
the procedures, policies and controls which are utilized to
secure data of customers and the organization against
illicit access or use.
4. Accountability- Accountability incorporates the procedures,
policies and controls essential to follow activities to their
source. Accountability specifically underpins non-repudiation,
anticipation, infringement, deterrence, security checking,
recuperation and legitimate tolerability of records.
5. Assurance- Assurance addresses the procedures, strategies
and controls which are used to create certainty that specialized
and equipped security measures are working as anticipated.
6. Privacy- It centres on the constitutional rights of people, the
motivation behind data assortment and processing, security
predilection and the manner in which organizations administer
individual’s data. It focuses on how to gather, process, offer,
document and erase the information/data as per the law.