• Home
• About
• Advertising
• Contact
• Podcasts and Resources
  • VoIP Resources
  • Disaster Recovery/Business Continuity Resources
  • Security Resources
  • Software-as-a-Service Resources
  • Storage Resources
  • Unified Communications Resources
  • Virtualization Resource Guide
  • Wireless/Mobility Resources
• Quick Takes Archive

IT and Finance: Implementing an Efficient Data Security Model

Prompted in part by the growing number of federal compliance regulations, enterprise finance departments are implementing better and more efficient solutions to improve overall data security. Ensuring that sensitive data is secure requires financial departments to work closely with IT departments to assess, prioritize, remediate and monitor data base environments.

Financial databases contain sensitive information, including names, social security numbers and credit card information. This data is extremely attractive to hackers who systematically attempt to steal this information and exploit or sell the data. In response, it is critical that financial institutions ensure that the most up-to-date security measures are in place. These measures must include protection against external attacks, as well as protection against inside threats.

Technological changes within the workplace have created new entry points for attackers to infiltrate and steal data. The proliferation of data and the need for greater internal and external collaboration between partners and vendors requires third-party access to data. While this change has served to increase productivity, it has also increased database security risk. In addition to this new, expanded environment, hackers have grown more intelligent and sophisticated in their attack methodologies. As such, it is increasingly important for finance and IT departments to work together, maintain a regular dialogue, and deploy the most powerful tools for long-term and short-term protection.

Despite an increased adherence to compliance regulations, companies continue to lose data. Breaches are occurring in record numbers and at record costs. In 2007, there were 446 documented breaches, a significant increase from the 315 breaches recorded in 2006. [1] Recent estimates indicate that each breached file costs a company $197 in remediation costs, with an average total per-incident cost in 2007 of $6.3 million.[2] For financial institutions and finance departments, a large breach could be catastrophic.

To avoid these potentially damaging losses, finance departments need to be certain that IT departments are aware of their daily operations and implement database security solutions to ensure that databases are protected. These solutions must secure databases from internal and external threats, while also ensuring that regulatory compliance and audit requirements are met.

This can only be achieved by implementing solutions that address the complete database security lifecycle, combining database discovery, vulnerability assessment, activity monitoring, intrusion detection, auditing and compliance to ensure comprehensive database security.

To meet today’s threats, organizations need to align efforts with the appropriate IT controls and regulations. By implementing these controls, organizations can identify and correct security vulnerabilities before an incident occurs. This result is best achieved through a proactive approach to database security.

An effective security methodology begins by conducting a database discovery and vulnerability assessment to determine risk level. The preparation of reports based upon this data allows organizations to identify risk and plan remediation. Not all vulnerabilities can be immediately addressed, so during the interim period, organizations should deploy database monitoring and auditing facilities that not only monitor database activity, but also identify and alert in real-time as attacks or malicious insider activity occur. A number of solutions that incorporate security policy templates are available to simplify and speed this process.

Effective solutions must address the complete database vulnerability life cycle. A comprehensive approach incorporating the following components is recommended:

1. Implement distinct database vulnerability assessment or extend existing vulnerability management programs to the database. Today’s attacks demand extending best practices to include databases. This step includes the ongoing process of discovery, assessment, hardening, activity monitoring and reporting.
2. Utilize robust database access controls and policies. Utilize regulations and policies that deter or prevent unauthorized data access and map them to specific guidelines including PII protections, HIPPA, DISA-STIG and NIST 800-53.
3. Extend configuration control to the database. These principles enhance a defense-in-depth approach and protect against insider threat by proactively identifying unauthorized database alterations, reconfigurations and access control violations.
4. Establish segregation of duties and strict control policies. Comprehensive role-based access controls restrict access and help prevent unauthorized modification, loss and disclosure. Roles should be defined internally and agreed to by IT, security and compliance departments.
5. Protect the integrity of your systems and data against threats. Strong security policies must be enforced with strong monitoring technologies. Monitoring should not be limited to users, but should be based upon policies that define unauthorized and unusual activity types. By applying these monitoring policies, unauthorized activities of external and internal users (including administrators) can be identified and real-time alerts can be issued when violations or suspicious activity occurs.

[1] (“ITRC Surveys & Studies, Identity Theft News,” http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtm).

[2] (“Ponemon Study Shows Data Breach Costs Continue to Rise,” http://www.pgp.com/newsroom/mediareleases/ponemon-us.html).

About Tom Van Horn: Tom Van Horn is the director of product marketing for Application Security.

Icon courtesy of Lothar Grimme.

Comments

Copyright © 2007 The IT-Finance Connection · Revolution News theme by Brian Gardner | Admin | Log in