Data security controls

Logical assets such as data that are in a intangible form need various levels of protection based on the state they are in. Data protection requirements are based on the classification of the information assets and CIA requirements such as legal, regulatory, and privacy compliance.

Data security requirements

In the past decade, data in corporations has been growing exponentially. Some studies indicate that the compounded annual growth rate (CAGR) of data is 70% or above. Besides, an organization has to comply with various requirements during its operations. Compliance requirements pertaining to data security are based on the CIA requirements and privacy of data. Some of the following compliance requirements may be applicable to corporations.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is a standard that pertains to payment card-related security requirements. The PCI Security Standards Council is an open global forum that develops and maintains this standard. Any entity that is involved in the payment card processing chain needs to comply with the safeguards of this standard. There are six core objectives in this standard:

• Network security has to be robust. Hence, an entity has to implement and maintain a secure network and systems.
• Cardholder data has to be protected from fraudulent transactions.
• Vulnerability management program has to be maintained by the entities.
• Access control measures have to be strong.
• The monitoring and testing of the networks has to be regularly performed.
• A formal maintenance of information security policy is mandatory.

Sarbanes-Oxley Act (SOX)

This is the US federal law that mandates various administrative controls pertaining to the financial reporting of publicly traded companies in the United States. From an information security perspective, this law mandates the demonstration of internal controls over financial reporting systems. One of the key objectives of this act is to enforces segregation of duties to reduce the chances of committing financial fraud.

Note

Segregation of duties or separation of duties is a security control measure to ensure that mutually exclusive roles are not assigned to a single user concurrently. In other words, if two roles are required to complete the job function and if one role ensures security, then they are mutually exclusive. Examples of such roles include system administrator versus security administrator, check signatory versus check approver, accounts receivable versus accounts payable, and so on.

Gramm-Leach-Bliley Act (GLBA)

This act in the United Sates mandates privacy rules for financial institutions, their customers, and their privacy rights. Various security safeguards are advised in the safeguards rules. As per this act, developing an information security plan and the protection of a client's nonpublic information are mandatory.

EU Data Protection Act (DPA)

This act is for the countries in the European Union and the primary focus is on data protection pertaining to the privacy information of client data.

In a nutshell, corporations are challenged with the explosive growth of data and with more and more regulations to protect the data and many channels of information exchange, where data can be compromised. Hence, appropriate strategies are required for Data Loss Prevention.