Data Security (DSC)

Security of data has emerged as a key concern for modern day organizations that are relying on information technology to perform their business transactions. These transactions are increasingly becoming data intensive. Each data item — an organization is collecting, creating, and /or getting access to — brings the concerns of the entities like end customers, clients, partners and the government bodies. These concerns have gradually driven the regulatory initiatives that are now emerging in geographies across the globe. The data protection regime is now becoming more active and stringent in stipulating the requirements and stating the liability of an organization for its failure to protect data. A governance structure is being laid down to provide assurance to the end customer for security of their data that is being collected and processed by businesses. The instruments that have evolved under this structure have provisions to intervene with the practices followed by businesses for conducting data transactions. On the other hand, the ‘business value’ associated with the data collected by an organization is increasing phenomenally, and this in turn makes the organizations more vigilant and responsive to security of this valuable data. Security threats are becoming more organized and targeted, reaping immense benefits out of data compromises. This has led to the increasing concentration of these threats at the data layer. Data is acquiring critical focus of regulatory initiatives, organizations’ strategies and the security threats that are looking for higher pay-offs. Hence, security of the data is emerging as the ultimate goal of an organization’s security as well as privacy initiatives. It is being advocated that the IT initiatives of an organization need to be revitalized to incorporate the principles of data security. The initiatives under each of the disciplines of security need to be aligned to the end goal of achieving data security.

DSCI believes that an organization should have the sense of data in their security and privacy initiatives. Each data item is the reason for empowerment as well as a concern for an organization. Hence, DSCI organizes Data Security (DSC) as a discipline to have a specific and granular focus on each of the data items an organization is creating, processing and getting access to.

  • Create an inventory of data items that are being transacted for each business process, relationship and function
  • Evaluate the process of data identification in the organization
  • Identify the characteristics of each data item for each business process, relationship and function. Some of the useful characteristics for a data items are:
  • Identify the information system and its details that are involved in executing a data transaction for each business process, relationship and function.
  • Identify the data access points, access patterns and operations performed on the data for each business process, relationship and function
  • Evaluate the operations performed on data for each business process, relationship and function. The operations performed on data could be: data reception, transmission, processing, storage and archival
  • Identify the compliance requirements that an organization is subjected to and map them to the associated data items for each business process, relationship and function.
  • Evaluate the liabilities associated with each data item. The liability associated with the data items can be derived from variables such asa. Fines / penalties stipulated by the compliance regulation, Variations in the applicability of fine, Liability clauses in the contract terms.
  • Evaluate the sensitivity of data items based on the business criticality, value of IPR, compliance requirements, liability in case of data breach and the obligation towards data subject or owner
  • Identify the security requirements associated with each data item. These requirements are stipulated by an organization’s policy, client contracts, regulatory norms and by the end customers
  • Evaluate ownership patterns for data security. As increasing liability is associated with security of data, ownership for data security plays an important role in governing data security initiatives.
  • For each business process, relationship and function, identify the components of underlying IT infrastructure that participates in data transmission, processing, storage, archival and disposal
  • For each business process, relationship and function, create an inventory of controls that are applied to secure the data items
  • Evaluate how the security issues are tracked throughout the data life cycle:
  • Evaluate how the underlying infrastructure is managed
  • Evaluate how changes to data access, access points, underlying infrastructure, applicable compliance and security requirements are managed for each business process, relationship and function
  • Identify the solutions and countermeasures deployed for data security
  • Evaluate the architectural positioning of an organization’s infrastructure for data security
  • Evaluate the scope and extent of data security initiatives.
  • A strategic roadmap for data security can be created after considering the options that are emerging in this field.
  • Create a visibility at the central security function over the data that is being gathered, received, accessed, processed, transferred, and archived in the organization. Identify the elements that are responsible for generating, bringing and providing access to data
  • Ensure that data classification guidelines are defined and established in the organization. The data classification should reflect all contexts of the organization
  • Ensure that the organization’s units and functions strictly follow the data classification guidelines in the operational life cycle.
  • Ensure that there exists a process that continuously searches for data items the organization is creating, gathering or getting access to.
  • Assessing the process for its effectiveness Ensure that there exists a mechanism that tracks the compliance requirements associated with each data type
  • Ensure that the context of compliance is developed when data is being transacted This can be achieved by:
  • Ensure that there exists an understanding of the liability exposure for breach of data or inability to demonstrate due diligence.
  • Ensure that the business heads, support functions and executive management are aware of the key compliance requirements with respect to the processes, relationships and functions under their respective supervision
  • Ensure that the organization has complete information associated with each data item, which is critical from the perspective of data security.
  • Ensure that the business process, relationship and function owners share the responsibility for security of data in their respective processes, relationships and functions. The factual information as mentioned above should help to take a sign off from business process, relationship and function owners
  • Ensure that any significant changes in the information associated with each data item, capable of impacting its security posture, should undergo a change management process
  • Ensure that there exists a mechanism that helps derive the criticality of each business process, relationship, and function from data security perspective. The parameters such as criticality of the business process, issues in data access points, security strength of the underlying infrastructure and likelihood of data leakage can help identify the criticality of each element
  • For each business process, relationship and function, identify and create an inventory of the deployed controls. This should help demonstrate due diligence in case of a data breach or compliance audit
  • Ensure that there exists a mechanism that tests the effectiveness of the controls against the perennial and evolving security threats.
  • For each business process, relationship and function, ensure that the issues that impact the security posture of data are tracked for remediation, management reporting and overall governance of data security
  • Ensure that the organization has a complete understanding of possible data leakage scenarios. An inventory of such scenarios helps the organization in concentrating its efforts to avoid any data leakages
  • Ensure that there exists a mechanism to manage the security threats to all participatory and underlying elements —network, server systems, endpoints, applications, databases, etc. — that have the potential to compromise the security of data
  • Ensure that the security incidents that can lead to a breach are managed effectively.
  • Ensure that the organization possess forensics capability, either in-house or sourced, to investigate the data security breaches
  • Ensure that HR and legal functions are involved in the data security initiatives.
  • Ensure that an access to the data is tracked to establish the accountability for securing data in its life cycle.
  • Ensure that the scope of data security program is extended to cover all business processes, relationships and functions. The scope can further be extended to:
  • Ensure that data security is considered while architecting the IT solutions or applications
  • Ensure that data security principles are incorporated in physical and personnel security measures. Physical security offers an important layer of protection to restrict a physical access to the data, while personnel security provides assurance over the people accessing the data
  • Ensure that there exists a mechanism to measure the performance of data security initiatives. The following steps may help set up such a mechanism:
  • Ensure that a significant level of collaboration exists between businesses, relationships, IT, security, HR, legal, compliance, and third party vendors for ensuring the security of data transacted between these entities
  • Comprehensiveness and dynamism of visibility over the data reflects the ability of central security function to have complete and current information on the data that is being gathered, received, accessed, transferred and stored
  • Accountability and ownership structure for data security reflects the distribution of accountability within the organization as well as outside the organization to include the entities that are a part of data transaction
  • Focus on specifics and granularity of the data security risks reflects the ability of data security program to identify specific and granular level of risks
  • Coverage and extent of the data security program reflects its ability to extend its scope to cover all the entities and type of assets that are critical from data security perspective
  • Integration of data centric approach in the operational life cycle reflects how well the data security program penetrates into an organization’s operations
  • Architectural alignment for data security reflects the ability of IT infrastructure and enterprise applications to address data security requirements in a structured manner
  • Responsiveness to the new issues or threats that can lead to compromise of data reflects how dynamic is the data security program in terms of the management of security threats
  • Compliance intelligence and compliance context for data operations reflects how the compliance related information is tracked and managed to bring the sensitivity towards compliance while the data is being transacted
  • Swiftness to manage the data breaches reflects how quickly an organization can respond to data breaches in a manner that satisfies regulatory requirements for a data breach
  • Management of information pertaining to data security reflects how well the information related to data security is managed in the operating environment

Please allow pop-up in your internet browser to download DSF


DSCI Security Framework