Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 13: Data Security & Disaster Recovery Database Management Systems.

Published byStuart Powell Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 13: Data Security & Disaster Recovery Database Management Systems."— Presentation transcript:

1 Chapter 13: Data Security & Disaster Recovery Database Management Systems

2 2 Agenda Data security threat locations & consequences. Data Security Management: Controls Data Security Plan Information Privacy Security in MS Access & SQL Server Global state of data security (PWC survey) Database back-up & recovery Virginia ILIE, Ph.D.

3 3 Data Security What is happening?  Stolen customer/student/health records.  Online fraud  Corporate espionage  Phising….viruses….how long can this list get? FBI report: 3,000 clandestine organizations in the US with a sole purpose: steal secrets and acquire technology for foreign organizations. Virginia ILIE, Ph.D.

4 4 Data Security: Threats Location Virginia ILIE, Ph.D.

5 5 Data Security: Consequences Loss of privacy (personal data) Loss of confidentiality (corporate data) Loss of data integrity Loss of availability Loss of money Above all: Loss of Credibility, Reputation… Virginia ILIE, Ph.D.

6 6 Authorization table for subjects (e.g. “Salespeople”) Authorization table for objects (e.g. “Orders”) Data Security Controls: Authorization Restrict access to data & actions that people can take on the data. Virginia ILIE, Ph.D.

7 7 Data Security Controls: Authentication What is authentication?  First line of defense: Passwords.  Two factor authentication–e.g. Token/Card plus PIN.  Three factor authentication–e.g. Token/Card, PIN, biometrics. Advantages and disadvantages of each? Virginia ILIE, Ph.D.

8 8 Data Security Controls: Encryption - The encoding of the data by a special algorithm that renders the data unreadable by any program without the decryption key. - Commonly used in online transactions. - Two key-encryption: employs a public & private key. Virginia ILIE, Ph.D.

9 9 Data Security Controls: Non-Computer-Based Controls Physical access controls  Equipment locking, check-out procedures, security cameras Personnel controls  The “Insider threat”  84% of attacks originate from current/former employees (40% originate from hackers). Source: CIO Magazine. Maintenance controls  Maintenance agreements, access to source code, quality and availability standards Virginia ILIE, Ph.D.

10 10 Client/Server Security Network security controls. Server security controls. Client workstation security controls. Virginia ILIE, Ph.D.

11 11 Data Security Plan Identify assets and estimate their value: hardware, software, data, networks Threat assessment Vulnerability assessment Calculate the impact of each threat/vulnerability on each asset (qualitatively or quantitatively) Select and apply appropriate controls based on the value of the asset:  Computer-based controls  Non-computer based controls Evaluate effectiveness of the control measures Virginia ILIE, Ph.D.

12 12 Data Security Plan: Outcomes Managerial Decisions:  Accept the risk  Mitigate the risk  Ignore the risk Virginia ILIE, Ph.D.

13 13 Security in MS Access: Use of a Password Virginia ILIE, Ph.D.

14 14 MS Access Permissions Virginia ILIE, Ph.D.

15 15 MS Access Permissions Virginia ILIE, Ph.D.

16 16 Security in SQL Server: Permissions Virginia ILIE, Ph.D.

17 17 Global State of Data Security Global survey of about 8,000 IT & security executives (PricewaterhouseCoopers, 2005, 2006, 2007) 63 countries and 6 continents, 7200 respondents. ____% reported they had a security strategy in place. ____% said they are considering security in the year(s) to come. Virginia ILIE, Ph.D.

18 18 Security: Strategic vs. Tactical Data Security is a “wildfire”  “ When you spend all that time fighting fires, you don’t even have time to come up with new ways to build things so that they don’t burn down” (Security analyst PWC). Reactive versus Proactive approach to managing data security. Bias toward technology.  Technology is largely reactive! Virginia ILIE, Ph.D.

19 19 Data Security: Industry Analysis Financial sector versus others. Why the gap? Virginia ILIE, Ph.D.

20 20 What about Security in India?

21 Trends  CISOs and CSOs employed continues to rise.  More firms conduct enterprise risk assessments. Encryption is at an all-time high - 72% of firms use it (2007) compared to 48% (2006). Security investment must shift from the tactical, technology- heavy approach to an intelligence-centric, risk analysis and mitigation philosophy. Address the human element not only the technological one. 21 Virginia ILIE, Ph.D.

22 22 Data Security Many times it is a LEGAL requirement. Sarbanes-Oxley act of 2002 (section 404) Health Insurance Portability and Accountability Act (HIPAA). State Security Breach Notification Laws The Family Educational Rights and Privacy Act (FERPA) Virginia ILIE, Ph.D.

23 23 Compliance? Percentage of US organizations admitting they are in compliance with security practices in 2006: SOX: 28% HIPAA: 40% California breach notification act: 15% Other state/local privacy regulations: 32% Is the door open for criminal charges & lawsuits & fines & and more? Virginia ILIE, Ph.D.

24 24 Database Backup & Recovery Backup vs. Recovery  WHY?  Human error or sabotage  Hardware failure  Invalid data  Application program errors  Viruses  Natural disasters and more… Virginia ILIE, Ph.D.

25 25 Database Backup & Recovery Back-up Strategies:  Full shut-down  Selective shut-down  Incremental back-up Recovering Strategies:  Disk Mirroring: Allows for fastest recovery. Great for applications that require high data availability.  Restore/Rerun Not a very good solution. Virginia ILIE, Ph.D.

26 26 Database Backup & Recovery Virginia ILIE, Ph.D.

27 27 Disaster Recovery “The best way of crisis management is preparation” (Mitroff, 2005) Have a clear plan that can be implemented in case of disaster.  Establish secure back-up center at an off-site location.  Schedule periodic back-ups at that location.  Establish recovery team and procedures. Virginia ILIE, Ph.D.

28 28 Cost of Downtime Estimated cost of downtime by Availability Estimated cost of downtime by type of business Virginia ILIE, Ph.D.

29 29 Next… Discuss some of the articles related to data security implementation in organizations… Emphasis is on how security controls implementation is managed in organizations. Virginia ILIE, Ph.D.

Download ppt "Chapter 13: Data Security & Disaster Recovery Database Management Systems."

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Control and Accounting Information Systems

Control and Accounting Information Systems
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
EDiscovery and Records Management. Records Management- Historical Perspective- Paper Historically- Paper was the “Corporate Memory” – a physical entity.

EDiscovery and Records Management. Records Management- Historical Perspective- Paper Historically- Paper was the “Corporate Memory” – a physical entity.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Risks, Controls and Security Measures

Risks, Controls and Security Measures
1 Minggu 7, Pertemuan 13 Security Matakuliah: T0206-Sistem Basisdata Tahun: 2005 Versi: 1.0/0.0.

1 Minggu 7, Pertemuan 13 Security Matakuliah: T0206-Sistem Basisdata Tahun: 2005 Versi: 1.0/0.0.
Disaster Prevention and Recovery Presented By: Sean Snodgrass and Theodore Smith.

Disaster Prevention and Recovery Presented By: Sean Snodgrass and Theodore Smith.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.

Chapter 16 Security. 2 Chapter 16 - Objectives u The scope of database security. u Why database security is a serious concern for an organization. u The.
Complete Data Protection from [INSERT SOFTWARE NAME] Insert logo.

Complete Data Protection from [INSERT SOFTWARE NAME] Insert logo.
Lead Black Slide. © 2001 Business & Information Systems 2/e2 Chapter 14 Managing Information Systems and Technology.

Lead Black Slide. © 2001 Business & Information Systems 2/e2 Chapter 14 Managing Information Systems and Technology.
Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.

Electronic Banking BY Bahaa Abas Noor abo han. Definition * e-banking is defined as: …the automated delivery of new and traditional banking products and.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Introduction to Network Defense

Introduction to Network Defense
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Similar presentations

Ads by Google