CDMP Study Group

SESSION 5 – DATA SECURITY

May 13, 2020
Laura Sebastian-Coleman, Ph.D., CDMP
Advisor to the DAMA New England BOD
Email: advisor@damanewengland.org
AGENDA
• Facilitator Introduction
• Introductory Note
• Chapter 7: Data Security
• Thinking about Chapter 7
• Overview of chapter
• Sample questions (not real ones, just ones I would ask)
•Q&A
• Next Session

New England Data Management Community

Facilitator
Laura Sebastian-Coleman, Ph.D., CDMP
 DQ Lead, Finance DG COE, Aetna/CVS Health
 DAMA New England Board Advisor
 Production Editor, DMBOK2
 Author:
 Navigating the Labyrinth
 Measuring Data Quality for Ongoing Improvement

CONTACT INFO:
EMAIL: advisor@damanewengland.org
PHONE: 860-983-0399

New England Data Management Community

INTRODUCTORY NOTE

This study group is offered as a service of DAMA New England for DAMA New England
members. It not an official, DAMA International authorized training course because DAMA-I has
not yet created an authorized trainer program.

The purpose of this group is to help prepare members to take the CDMP. We will do so by
reviewing the content of chapters of the DMBOK2.

DAMA New England makes no claims for the effectiveness of the sessions or the ability of
participants to pass the CDMP exam after having attended. In fact, you should plan on doing a
lot of individual study to pass the exam.

All tables and images, unless otherwise noted, are copyrighted by DAMA or based on DAMA-
DMBOK2 tables and images.

New England Data Management Community

Thinking about Chapter 7: Data Security
• Chapter contains a densely packed, specialized vocabulary:
• Will not review the vocabulary separately
• Learn it by going through the other materials
• Come back to the vocabulary through sample questions
• Approach:
• Data Security definition, stakeholders, goals, drivers, and
principles
• Activities
• Tools
• What I won’t cover:
• Details about regulations. You should study these. They are
important and described in several chapters in the
DMBOK2.
• Before we start:
• What I like about this chapter
• How I would study

New England Data Management Community

Chapter 7: Data Security Definition & Goals
Data Security ensures that data privacy and confidentiality are maintained, that data is not breached,
and that data is accessed appropriately.
Data Security includes the planning, development, and execution
of security policies and procedures to provide proper
authentication, authorization, access, and auditing of data and
information assets.

Goals of Data Security:

• Enable appropriate to enterprise data assets

• Prevent inappropriate access to enterprise data assets
• Understand and comply with relevant regulations and policies
for privacy, protection, and confidentiality.
• Ensure that the privacy and confidentiality needs of all
stakeholders are enforced and audited.

New England Data Management Community

Chapter 7: Data Security Goals & Stakeholders
Common Goal for data security across industries: Sources Of Data Security Requirements
To protect information assets in alignment with • Regulations may restrict
• Privacy and confidentiality
privacy and confidentiality regulations, contractual of client information access to information
• Trade secrets • Acts to ensure openness
agreements, and business requirements. • Business partner activity and accountability
• Mergers and acquisitions • Provision of subject
access rights
Specific requirements come from • And more …

• Stakeholders STAKEHOLDER GOVERNMENT

• Regulations CONCERNS REGULATION
• Business concerns
• Access needs NECESSARY LEGITIMATE
• Contractual obligations BUSINESS BUSINESS
ACCESS NEEDS CONCERNS
• Data security must be • Trade secrets
Secure data is in the best interests of all appropriate • Research & other IP
stakeholders. • Data security must not be • Knowledge of customer
too onerous to prevent needs
users from doing their • Business partner
jobs relationships and
Study this diagram, and you will know a lot about • Goldilocks principle impending deals
data security. © DAMA International, 2017

New England Data Management Community

Chapter 7: Data Security Business Drivers
Risk Reduction Business Growth / Competitive
• Legal and moral responsibility to advantage
stakeholders • Security enables transactions G
R
• Potential reputational impact of and builds customer confidence O
breaches • Security-related Metadata as a W
T
• Activities include strategic asset H
• Locate and classify data R • Increased the quality of
transactions, reporting, and
• Understand how data is used I
business analysis
S
• Assess threats K • Reduces the cost of protection and
• Take an enterprise approach associated risks that lost or stolen
information cause

New England Data Management Community

Chapter 7: Data Security Principles
• Collaboration: IT security administrators, data stewards/data governance,
internal and external audit teams, and the legal department.
• Enterprise approach: Apply standards and policies consistently across the
entire organization.
• Proactive management: Engage all stakeholders, manage change, and
overcome organizational bottlenecks such as traditional separation of
responsibilities between information security, information technology, data
administration, and business stakeholders.
• Clear accountability: Define roles and responsibilities, including the ‘chain of
custody’ for data across organizations and roles.
• Metadata-driven: Security classification for data elements is an essential
part of data definitions.
• Reduce risk by reducing exposure: Minimize sensitive/confidential data
proliferation, especially to non-production environments.

New England Data Management Community

Chapter 7: Data Security Activities
• Identify relevant security requirements: • Assess current security risks:
• Business requirements to meet mission • Sensitivity of the data stored or in transit
• Industry specific regulation • Requirements to protect that data
• Know how regulation impacts your business • Existing security controls
• Define data security policies: • Implement controls and procedures
• Describe behaviors your organization needs to • How users gain and lose access to systems and/or
adopt to protect its data. applications
• Policies must be auditable and audited. • How users are assigned to and removed from roles
• Policies have legal implications. • How privilege levels are monitored
• Policies at different levels (Enterprise, IT, Data) • How requests for access changes are handled and
cover different facets of security monitored
• Define data security standards: • How data is classified according to confidentiality
• Standards supplement policies with detail on how and applicable regulations
to meet the intention of the policies. For example: • How data breaches are handled once detected
• Data confidentiality levels • Manage and Maintain Security
• Data regulatory categories • See next slide
• Security roles

New England Data Management Community

Chapter 7: Data Security Activities
Manage and Maintain Security
Identify relevant
security • Ensure that security breaches do not occur
requirements
• Detect them as soon as possible
• Monitor systems
Manage and Define data • Audit compliance with policies and standards
Maintain Security security policies
• Control Data Availability / Data-centric Security
• Manage entitlements
Managing
security includes • Ensure technical controls are used
actively revisiting
each activity • Monitor User Authentication and Access Behavior
• Know who is accessing which data assets
•Implement Define data
• Automate. Lack of automation = RISK
controls and
procedures
security
standards
• Manage Security Policy Compliance:
• Manage regulatory compliance – Compliance must be
measurable and auditable
Assess current
security risks
• Audit Data Security and Compliance Activities
• Audits must be independent
• Audits are not fault-finding missions
New England Data Management Community
Chapter 7: Data Security Tools, Techniques, Metrics
TOOLS METRICS
• Anti-Virus Software / Security Software • Security Implementation: employees who have
• HTTPS scored more than 80% on annual security practices
• Identity Management Technology quiz; percent of business units with formal risk
• Intrusion Detection and Prevention Software assessment analysis
• Firewalls (Prevention) • Security Awareness: Risk assessment profiles,
• Metadata Tracking Surveys and interviews
• Masking / Encryption: Hash, Private-Key, Public- • Data Protection Metrics: Vulnerability assessments,
Key, Masking
threat assessments

TECHNIQUES • Security Incident Metrics: Intrusion attempts

detected, cost savings for prevented intrusions
• CRUD Matrix Usage
• Immediate Security Patch Deployment • Confidential Data Proliferation: Number of copies
• Data Security Attributes in Metadata of sensitive data

New England Data Management Community

Chapter 7: Learning the Lingo
TERM DEFINITION EXAMPLE

weaknesses or defect in a
Out-of-date security
system that allows it to be
Vulnerability patches, untrained
successfully attacked and
employees
compromised

a potential offensive action; untrained employees,

Threat internal or external, not always virus-infected email
malicious

the possibility of loss and to the

A threat or a
Risk thing or condition that poses the
vulnerability
potential loss

New England Data Management Community

Chapter 7: Prep Questions
Which of the following does NOT Risks related to each threat can be
contribute to risk reduction? calculated based on
A. Identify how sensitive data is A. The likelihood of their
used in business processes occurrence
B. Locate sensitive data assets in B. The amount of damage each
the organizations occurrence might cause
C. Establish default passwords C. Their effects on business
D. Determine how each asset operations
should be protected D. The cost to prevent them
E. Identify and classify sensitive E. All of the above All of these can help you
data assets calculate risk. P. 223
Having default passwords
creates system risk. P 241

New England Data Management Community

Chapter 7: Learning the Lingo
TERM CLASSIFICATION SCHEMA CLASSIFICATION LOGIC

Critical Risk Data Based on how actively sought after

Risk Classifications High Risk Data the data may be; potential for
Moderate Risk Data financial gain

Personal Identification Info (PII)

Financially Sensitive Data
Allowed-to-know: The ways in which
Regulatory Medically Sensitive Data (PHI)
data can be shared are governed by
Classifications Educational Records
the details of the regulation.
Credit Card Data, Trade Secrets, Contractual
Restrictions

General audience Need-to-know: Levels of

Confidentiality Internal use confidentiality depend on who
Classifications Confidential needs to know certain kinds of
Restricted Confidential information.
Registered Confidential

New England Data Management Community

Chapter 7: Prep Questions
The Payment Card Industry Data The Four A’s include Access, Audit,
Security Standard is an example of Authentication, Authorization. They
represent:
A. A regulatory family
B. A contractual security standard A. Ways to monitor security
C. Financially sensitive data B. Responsibilities of individual
users
D. An industry security standard
C. Security procedures and
requirements classifications
D. Functions of a security
See the list of industry or organization
contract-based For definitions of the
regulation, p. 237 Four A’s and an E, see
p. 225

New England Data Management Community

Chapter 7: Learning the Lingo
TERM DEFINITION EXAMPLES

Virus
any malicious software created to
Trojan Horse
Malware damage, change, or improperly access a
Adware
computer or network
Worm

communications designed to trick people Phishing

Social Threat who have access to protected data into Social engineering
providing that information to access data

Abuse or elevation of privilege

elements that can compromise a network Shared accounts
or database, or allow legitimate Platform intrusion
Security System Risks employees to misuse information, and SQL Injection
enable malicious hacker success Default passwords

New England Data Management Community

Chapter 7: Prep Q
System Security Risks include all of Security risks can be assessed based
the following, except: on:
A. Phishing A. How confidentiality levels,
B. Abuse of privilege This is an example of a regulatory families, and industry
Social Threat p. 242
needs are set
C. Shared accounts B. How users gain access to the
D. Platform intrusion system and how access is
E. Hacking monitored
C. Existing security roles,
hierarchies, and access rights
D. Data sensitivity, protection
I got this wrong, during requirements, and current
the meeting! You guys practices
were right. D is correct.
p. 251

New England Data Management Community

Discussion / Q&A: How to study Data Security

New England Data Management Community

NEXT SESSION
Date Topic Facilitator
February 19th Chapter 1: Data Management Tony Mazzarella
March 4th Chapter 2: Data Handling Ethics Lynn Noel
March 18th Chapter 3: Data Governance Sandi Perillo-Simmons
April 1st Chapter 4: Data Architecture Laura Sebastian Coleman
April 15th Chapter 5: Data Modeling & Design Lynn Noel
April 29th Chapter 6: Data Storage & Operations Karen Sheridan
May 13th Chapter 7: Data Security Laura Sebastian-Coleman
May 27th Chapter 8: Data Integration & Interoperability Mary Early
June 10th Chapter 9: Document & Content Management Sandi Perillo-Simmons
June 24th Chapter 10: Reference & Master Data Mary Early
July 8th Chapter 11: Data Warehousing & Business Intelligence Tony Mazzarella
July 22nd Chapter 12: Metadata Management Karen Sheridan
August 5th Chapter 13: Data Quality Laura Sebastian-Coleman
August 19th Chapter 14: Big Data & Data Science Nupur Gandhi
September 2nd Chapter 15: Data Management Maturity Assessment Laura Sebastian-Coleman
September 16th Chapter 16: Data Management Organization & Role Expectations Agnes Vega
September 30th Chapter 17: Data Management & Organizational Change Management Tony Mazzarella
October 7th Final Review Tony Mazzarella

New England Data Management Community

HOMEWORK – Data Integration & Interoperability

What the heck is orchestration, and why is it so darned

important?

New England Data Management Community