Overview#
Data Protection is the Access Control applied to Data which relies on proper Data ClassificationData Protection is part of Data Management includes:
- Data Access Governance (DAG)
- Access Control - which includes considerations for Digital Rights Management and Information Rights Management
- Data Loss Prevention (DLP)
- Disclosure-Alteration-Destruction
- Disaster Recovery
- Data Disposal
Some General Observations#
When technology allows anyone with a mobile Device the ability to take a snapshot of a piece of paper or a computer screen, it seems it must be assumed if they can view it, they can capture it.IDSA Integration Framework #
IDSA Integration Framework describes Data Protection as:- Data Access Governance (DAG) - The discovery and Data Protection of data across the enterprise and manages the process of how users are granted access to this data
- Enterprise Mobility Management (EMM) - Allows the registration of Mobile Devices to safely leverage Single Sign-On (SSO) for access to cloud computing and Native applications. In addition, the chain of trust associated with a registered device exposes device attributes and compliance rules.
- Data Loss Prevention (DLP) - Prevention of the distribution of sensitive data by utilizing sufficient risk based definitions to determine the appropriate level of assurance.
- Cloud Access Security Broker (CASB) - Utilizes the deep analysis capabilities to provide Adaptive Risk analytics to identify compromised credentials and potential risks that can then be used in authentication decisions.
Data Protection and Regulatory compliance#
Consider these extracts from various regulations, demonstrating the central theme of protecting identity-based information exchanges:- "unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions…" (SOX, SAS 94).
- GDPR - "shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk Personal data…" (General Data Protection Regulation ).
- Article 32 - Security of processing
emphasizing Encryption and Pseudonymization
- Article 32 - Security of processing
- "Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements," (SOX, Audit Std. No. 2).
