MANAJEMEN DATA ENTERPRISE (ISI413)

Data Security Management

Sistem Informasi | Fakultas Rekayasa Industri | Telkom University
Data Security Management

Data Security Management Context Diagram

Definition: Planning, development, and execution of security policies and procedures to provide
proper authentication, authorization, access, and auditing of data and information. .

Goal:
1. Enable appropriate, and prevent inappropriate, access and change to data assets.
2. Meet regulatory requirements for privacy and confidentiality.
3. Ensure the privacy and confidentiality needs of all stakeholders are met.

Inputs: Activities: Primary Deliverables:

• Business Goals 1. Understand Data Security Needs and Regulatory Requirements (P) • Data Security Policies
• Business Strategy 2. Define Data Security Policy (P) • Data Privacy and Confidentiality
• Business Rules 3. Define Data Security Standards (P) Standards
• Business Process 4. Define Data Security Controls and Procedures (D) • User Profiles, Passwords and
• Data Strategy Memberships
5. Manage Users, Passwords, and Group Membership (C)
• Data Privacy Issues • Data Security Permissions
6. Manage Data Access Views and Permissions (C)
• Related IT Policies and Standards • Data Security Controls
7. Monitor User Authentication and Access Behavior (C)
• Data Access Views
8. Classify Information Confidentiality (C) • Document Classifications
Suppliers: 9. Audit Data Security (C) • Authentication and Access History
• Data Stewards • Data Security Audits
• IT Steering Committee
Participants: Tools:
• Data Stewardship Council
• Data Stewards • Database Management System Consumers:
• Government
• Customers • Data Security Administrators • Business Intelligence Tools
• Data Producers
• Database Administrators • Application Frameworks
• Knowledge Workers
• BI Analysts • Identity Management Technologies • Managers
• Data Architects • Change Control Systems
• Executives
• DM Leader
• Customers
• CIO/CTO • Data Professionals
• Help Desk Analysts

Activities: (P) – Planning , (C) – Control, (D) – Development, (O) – Operational

MANAJEMEN DATA ENTERPRISE (ISI413) - SISTEM INFORMASI | FRI TEL U - COURTESY TRANSFORMA INSTITUTE 1 1
 Data Security Management

5. Manage Users, Passwords, and Group Membership

Access and update privileges can be granted to Security Role Hierarchy Example Diagram
individual user accounts, but this approach
results in a great deal of redundant effort
Role Groups
• enable security administrators to define
privileges by role, and
• to grant these privileges to users by
enrolling them in the appropriate role
group.
> While it may be technically possible to enroll
users in more than one group, this practice may
make it difficult to understand the specific
privileges granted to a specific user.
> Whenever possible, try to assign each user to
only one role group.
Define Role Hierarchy
• Construct group definitions at a workgroup
or business unit level
• Organize roles in a hierarchy, so that child
roles further restrict the privileges of
parent roles.

MANAJEMEN DATA ENTERPRISE (ISI413) - SISTEM INFORMASI | FRI TEL U - COURTESY TRANSFORMA INSTITUTE 2 2
 Data Security Management

5. Manage Users, Passwords, and Group Membership

Things to Remember Security Role Hierarchy Example Diagram
• Security administrators create, modify, and
delete user accounts and groups.
• Changes made to the group taxonomy and
membership should require some level of
approval, and tracking using a change
management system.

Things to Consider
• Data consistency in user and group
management is a challenge in a
heterogeneous environment.
• User information such as name, title, and
number must be stored redundantly in
several locations.
• These islands of data often conflict,
representing multiple versions of the
‘truth‘.
• To avoid data integrity issues, manage user
identity data and role-group membership
data centrally.

MANAJEMEN DATA ENTERPRISE (ISI413) - SISTEM INFORMASI | FRI TEL U - COURTESY TRANSFORMA INSTITUTE 3 3
 Data Security Management

5. Manage Users, Passwords, and Group Membership

Password Standards and Procedures
• Passwords are the first line of defense in
protecting access to data.
• Every user account should be required to
have a password set by the user (account
owner) with a sufficient level of password
complexity defined in the security
standards, commonly referred to as ‘strong‘
passwords.
• Do not permit blank passwords.
Typical password complexity requirements
• Contain at least 8 characters.
• Contain an uppercase letter and a numeral.
• Not be the same as the username.
• Not be the same as the previous 5 passwords used.
• Not contain complete dictionary words in any language.
• Not be incremental (Password1, Password2, etc).
• Not have two characters repeated sequentially.
• Avoid using adjacent characters from the keyboard.
• If the system supports a space in passwords, then a ‘pass phrase‘ can be used.

The Need for Identity Management System Password maintenance

• Traditionally, users have had different accounts and passwords for each
individual resource, platform, application system, and / or workstation. This
approach requires users to manage several passwords and accounts.
• Organizations with enterprise user directories may have a synchronization
mechanism established between the heterogeneous resources to ease user
password management.
• In such cases, the user is required to enter the password only once, usually
when logging into the workstation, after which all authentication and
authorization is done through a reference to the enterprise user directory.
• An identity management system implements this capability, commonly
referred to as the 'single-sign-on'.
• Ongoing maintenance of passwords is
normally a user responsibility, requiring users
to change their passwords every 45 to 60 days.
• When creating a new user account, the
generated password should be set to expire
immediately so users can set their passwords
for subsequent use.
• Security administrators and help desk analysts
assist in troubleshooting and resolving
password related issues.

MANAJEMEN DATA ENTERPRISE (ISI413) - SISTEM INFORMASI | FRI TEL U - COURTESY TRANSFORMA INSTITUTE 4 4
Data Security Management
6. Manage Data Access Views
and Permissions
• Data security management involves not just preventing
inappropriate access, but also enabling valid and
appropriate access to data.
• Most sets of data do not have any restricted access
requirements.
• Control sensitive data access by granting permissions
(opt-in).
• Without permission, a user can do nothing.
> Relational database views provide another important
mechanism for data security, enabling restrictions to data
in tables to certain rows based on data values.
> Views can also restrict access to certain columns,
allowing wider access to some columns and limited access
to more confidential fields.
MANAJEMEN DATA ENTERPRISE (ISI413) - SISTEM INFORMASI | FRI TEL U - COURTESY TRANSFORMA INSTITUTE
7. Monitor User Authentication and
Access Behavior
Monitoring authentication and access behavior is critical
because:
• It provides information about who is connecting and
accessing information assets, which is a basic
requirement for compliance auditing.
• It alerts security administrators to unforeseen
situations, compensating for oversights in data security
planning, design, and implementation.
> Monitoring helps detect unusual or suspicious
transactions that may warrant further investigation and
issue resolution.
> Perform monitoring either actively or passively.
> Automated systems with human checks and balances in
place best accomplish both methods.
5 5
Data Security Management

8. Classify Information Confidentially 9. Audit Data Security

• Classify an enterprise‘s data and information products • Auditing data security is a recurring control activity
using a simple confidentiality classification schema. with responsibility to analyze, validate, counsel, and
• Most organizations classify the level of confidentiality recommend policies, standards, and activities related
for information found within documents, including to data security management.
reports. • Auditing is a managerial activity performed with the
A typical classification schema might include the following help of analysts working on the actual implementation
five confidentiality classification levels: and details.
1. For General Audiences (set as default): Information • Internal or external auditors may perform audits;
available to anyone, including the general public. however, auditors must be independent of the data
2. Internal Use Only: Information limited to employees and / or process involved in the audit.
or members, but with minimal risk if shared. Internal Data security
>• Monitoring helpsauditors
detect should
unusualnot have direct
or suspicious
use only may be shown or discussed, but not copied responsibility
transactions for the
that may activities
warrant being
further audited, toand
investigation help
outside the organization. issueensure
resolution.
the integrity of the auditing activity and results.
3. Confidential: Information which should not be shared Auditing
>• Perform is not a faultfinding
monitoring mission.
either actively The goal of
or passively.
outside the organization. Client Confidential auditing issystems
> Automated to provide
withmanagement
human checks and thebalances
and data in
information may not be shared with other clients. place best accomplish
governance councilboth
withmethods.
objective, unbiased
4. Restricted Confidential: Information limited to assessments, and rational, practical recommendations.
individuals performing certain roles with the “need to
know”. Restricted confidential may require individuals
to qualify through clearance.
5. Registered Confidential: Information so confidential
that anyone accessing the information must sign a
legal agreement to access the data and assume
responsibility for its secrecy.
MANAJEMEN DATA ENTERPRISE (ISI413) - SISTEM INFORMASI | FRI TEL U - COURTESY TRANSFORMA INSTITUTE 6 6
 Data Security Management

Summary Activities Deliverables Responsible Roles Approving Roles Contributing Roles

5.1 Understand Data Security Data Stewards, DM Data Governance Data Stewards,
Data Security Data Security Requirements and Executive, Security Council Legal Department,
Management Needs and Regulations Administrators IT Security
Regulatory
Process Requirements (P)
5.2 Define Data Data Security Policy Data Stewards, DM Data Governance Data Stewards,
Security Policy (P) Executive, Security Council Legal Department,
Administrators IT Security
5.3 Define Data Data Security Data Stewards, DM Data Governance Data Stewards,
Security Standards Standards Executive, Security Council Legal Department,
(P) Administrators IT Security
5.4 Define Data Data Security Security DM Executive Data Stewards, IT
Security Controls Controls and Administrators Security
and Procedures (D) Procedures
5.5 Manage Users, User Accounts, Security Management Data Producers,
Passwords and Passwords, Role Administrators, Data Consumers,
Group Membership Groups DBAs Help Desk
(C)
5.6 Manage Data Data Access Views Security Management Data Producers,
Access Views and Data Resource Administrators, Data Consumers,
Permissions (C) Permissions DBAs Software
Developers,
Management, Help
Desk

MANAJEMEN DATA ENTERPRISE (ISI413) - SISTEM INFORMASI | FRI TEL U - COURTESY TRANSFORMA INSTITUTE 7 7
 Data Security Management

Summary Activities Deliverables Responsible Roles Approving Roles Contributing Roles

Data Security 5.7 Monitor User

Authentication and
Data Access Logs,
Security
Security
Administrators,
DM Executive Data Stewards,
Help Desk
Management Access Behavior (C) Notification Alerts, DBAs
Data Security
Process Reports
5.8 Classify Classified Document Authors, Management Data Stewards
Information Documents, Report Designers,
Confidentiality (C) Classified Data Stewards
Databases
5.9 Audit Data Data Security Audit Data Security Data Governance Security
Security (C) Reports Auditors Council, DM Administrators,
Executive DBAs, Data
Stewards

MANAJEMEN DATA ENTERPRISE (ISI413) - SISTEM INFORMASI | FRI TEL U - COURTESY TRANSFORMA INSTITUTE 8 8
Data Security Management

MANAJEMEN DATA ENTERPRISE (ISI413) - SISTEM INFORMASI | FRI TEL U - COURTESY TRANSFORMA INSTITUTE 9 9