Page 152 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 152
Information Security and Privacy
Notes
!
Caution No matter how much care is taken to assure security at the database level, troubles
can still be introduced from a diversity of other sources.
Example: Once a hack get root access to a web server, it is frequently easy to gain access to
the database server, particularly when remote shell ability is enabled.
3. Web-based databases: Database that are configured to permit external communications
from other web portals face an outstanding data security challenge. Hacker can continually
try to hack into web portals, finally locating a weakness in the Net Services architecture.
Self Assessment
Fill in the blanks:
10. ........................ entry points comprise web servers, VPN access, app server access and access
to databases through web portal protocols.
11. The current publicity regarding security holes in enterprise security underscores the
........................ .
12. No matter how much care is taken to assure ........................ at the database level, troubles
can still be introduced from a diversity of other sources.
10.5 Database Security Policy
With all the government and industry policies affecting almost every business, sooner or later,
the time will come when you’re fundamentally forced to put some information security policies
in position. You may already have the fundamental policies for passwords and data backups.
But there’s more. So, if your association is just now putting together its safety policies or you’ve
realized it may be time to inform a few things, there are numerous database security-related
issues you’ll require to wrap.
To be precise, in order to find out exactly which security policies are required, you need to
perform an information risk assessment. Though, I understand that reality frequently dictates
otherwise. That said, I can think of little, if any, situations that wouldn’t need the following
database connected security policies at the very least:
1. Acceptable usage – What can/cannot be finished on database servers like web browsing
and installing/disabling malware and personal firewall protection in addition to
installation of MSDE, SQL Server Express 2005, and other database software on non-server
systems.
2. Authentication controls – for databases in addition to related applications and operating
systems including password requirements, multi-factor usage, etc.
3. Business associates – dealing with external contractors, auditors, hosting providers, etc.
counting contract provisions and service level agreements where applicable.
4. Business continuity – disaster recovery and/or business continuity plan requirements to
help keep your databases up and accessible.
5. Change management – documenting the who, why, when, how, and any related backout
procedures, etc.
6. Data backup – what, when, and methods used.
7. Data retention and destruction – what, why, methods used and timelines.
146 LOVELY PROFESSIONAL UNIVERSITY
