An organization's data is a vital corporate asset. So how do you determine how much security is enough to adequately protect that data?
Editor's Note: This is an introduction to the white paper "Protecting Your Data: How Much Security Is Enough?" available for free from the MC White Paper Center.
The answer to how much security is enough depends on the type of data, its value to your organization, and your organization's policy requirements. If the data stored on your systems is governed by a law or regulation (such as HIPAA or PCI DSS), then those laws and regulations may dictate how much is enough—at least to be in compliance with those laws and regulations. However, your organization may decide that those requirements are not sufficient to adequately secure the data. In this case, you may add additional requirements for securing the data.
In ensuring compliance with SOX, for example, you will be implementing policies that are designed to ensure that the financial information is accurate and can be relied on. At a minimum, access control settings of the databases containing financial information will enforce the appropriate role-based access.
On the surface, this may seem like an easy and obvious task. Provide application access only to the to the users of that application and customize—by role—what tasks users are allowed to perform within the application. That's one step. The other step is to make sure that the access rights to the database where the data is stored are set properly. Many application providers and security administrators ignore this step, leaving data directly accessible via ODBC or FTP connections by users without a business need to access the data. Depending on the access control setting, these users may be able to just read the data. But some application providers and developers will leave the access at a level that allows users to change data or delete records.
The answer to the how-much question for data that isn't under the control of a law or regulation is based solely on the value of the data to your organization. This is the consideration that most organizations forget to make. While many organizations consider the damage to their reputation if private data were lost or stolen, most fail to consider the damage that would be caused by losing non-regulated data. For example, many fail to consider what would happen if their pricing or supplier information got into the hands of their competitors or if a non-profit's donor list were published on the Internet.
Numerous benefits are realized by answering the question "How much security is enough?" and then securing your organization's data appropriately. Be sure your discussion includes the following:
- Compliance with regulatory requirements
- Privacy and confidentiality of data
- Integrity of data
- Availability of data
Editor's Note: For a more in-depth discussion on this topic, request the white paper "Protecting Your Data: How Much Security Is Enough?" available free from the MC White Paper Center.