Data security is the process of protecting files, databases, accounts through controls, applications, and practices that prioritize data privacy and compliance.
The main elements of data security are confidentiality, integrity, availability. A model based on these three elements allows to ensure data security and protection from unauthorized access and data theft. It means:
- Confidentiality – access to data only for authorized persons;
- Integrity – information reliability and accuracy;
- Availability – data is available to meet business needs.
The main points that need to pay attention to ensure data security:
- Data location. In order to provide high data protection level, it is necessary to know where it’s stored;
- Data access. Uncontrolled access and infrequent permission checks expose the company to the risk of data misuse and theft;
- Continuous monitoring and real-time data change alerts. This approach allows to track compliance with regulatory requirements, as well as detect unusual activity, suspicious accounts, and computer operation changes in time.
Technologies to prevent leakage, reduce risks and provide reliable protection:
- Data audit allows to check all components operation, detect errors in time and eliminate them;
- Real-time data alerts allows to track data activity, more quickly detect suspicious behavior, security breaches that lead to accidental data destruction, loss, modification, unauthorized disclosure and access to personal data;
- Data Threat Assessment helps to identify the most vulnerable sensitive data, provides a detailed explanation of each vulnerability, and suggests ways and recommendations to eliminate security threats;
- Data minimization allows to collect and store only targeted data for the business, covering its needs. A large amount of unnecessary data will not give a competitive advantage but can damage reputation if it is leaked. It is important to analyze business data needs and minimize data volumes;
- Aged data removal. If the data is not on the network, it cannot be compromised. It is worth installing systems that can monitor file access and automatically archive unused files.
Ensuring data security:
- Confidential data file isolation. A confidential file shouldn’t place in a public folder. Data security software allows to classify sensitive data and move it to a safe place;
- Tracking user behavior. The frequent problem is excessive access and permission to data for business users. So they have more than it is necessary to fulfill their duties according to their role in the company. Software that monitors user behavior and automatically sets appropriate permissions can reduce user harm.
Data security rules
There are certain data security rules, such as HIPAA (Health Insurance Portability and Accountability Act), SOX (Sarbanes-Oxley Act), GDPR (General Data Protection Regulation), etc. They provide organizations for such requirements:
- understanding what sensitive data they have;
- data provision upon the request;
- confirmation of data protection measures usage.
- Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Mobility and Accountability Act. It was approved by the US Congress and enacted on August 21, 1996 to modernize the flow of medical information and protect personal information held by healthcare facilities and the health insurance industry from fraud and theft. The law requires relevant organizations to adopt security standards that take into account the technical capabilities of record systems for storing health information, providing security measures costs, and the value of computerized record systems.
Primary requirements:
- Continuous monitoring of file activity and access to confidential information;
- Access control;
- Record keeping.
- Sarbanes-Oxley (SOX)
US law provides for the introduction of more stringent requirements for financial reporting and the process of its preparation. Under this law, public companies are required to provide an annual assessment of their internal financial audit effectiveness.
Primary requirements:
- Ongoing monitoring and auditing, requiring companies to include in their annual reports an assessment of internal controls to ensure the integrity of financial reporting and an audit attestation;
- Access control, especially to critical computer systems, is the most important aspect of law compliance. It is necessary to know which administrators have made changes to security settings and access rights to file servers and their contents, as well as to detail the history of access and any changes to user data;
- To provide evidence of compliance, it is necessary to generate a detailed report, where it is necessary to indicate the use of data, each interaction of users with the file and confidential data, changes in permissions that affect access rights to information.
- General Data Protection Regulation (GDPR)
This is an EU regulation that defines how organizations process personal data. It covers the protection of EU citizens personal data such as insurance number, date of birth, email address, IP address, phone number, account numbers etc.
Primary requirements:
- Data classification: understanding where data is stored, data protection, fulfillment of requests for personal data correction and deletion;
- Continuous monitoring: notification of violation within 72 hours;
- Metadata: setting limits on data storage (collecting and storing only target data), determining the need to archive data;
- Data management: understanding who has access and who should have access to data in the corporate system, restricting access rights depending on the business user’s role.
