Overview#

Data Protection is the Access Control applied to Data which relies on proper Data Classification

Data Protection is part of Data Management includes:

• Data Access Governance (DAG)
• Access Control - which includes considerations for Digital Rights Management and Information Rights Management
• Data Loss Prevention (DLP)
• Disclosure-Alteration-Destruction
• Disaster Recovery
• Data Disposal

Some General Observations#

When technology allows anyone with a mobile Device the ability to take a snapshot of a piece of paper or a computer screen, it seems it must be assumed if they can view it, they can capture it.

IDSA Integration Framework #

IDSA Integration Framework describes Data Protection as:

• Data Access Governance (DAG) - The discovery and Data Protection of data across the enterprise and manages the process of how users are granted access to this data
• Enterprise Mobility Management (EMM) - Allows the registration of Mobile Devices to safely leverage Single Sign-On (SSO) for access to cloud computing and Native applications. In addition, the chain of trust associated with a registered device exposes device attributes and compliance rules.
• Data Loss Prevention (DLP) - Prevention of the distribution of sensitive data by utilizing sufficient risk based definitions to determine the appropriate level of assurance.
• Cloud Access Security Broker (CASB) - Utilizes the deep analysis capabilities to provide Adaptive Risk analytics to identify compromised credentials and potential risks that can then be used in authentication decisions.

Data Protection and Regulatory compliance#

Consider these extracts from various regulations, demonstrating the central theme of protecting identity-based information exchanges:

• "unauthorized access to data that may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions…" (SOX, SAS 94).
• GDPR - "shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk Personal data…" (General Data Protection Regulation ).
  • Article 32 - Security of processing emphasizing Encryption and Pseudonymization
• "Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant's assets that could have a material effect on the financial statements," (SOX, Audit Std. No. 2).

More Information#

There might be more information for this subject on one of the following:

• Data Access Governance
• Data Classification
• Data Management
• Data Privacy
• Data Protection
• Disclosure-Alteration-Destruction
• General Data Protection Regulation
• IDSA Integration Framework
• Information Lifecycle Management
• Information Rights Management
• Real Risk
• The Next Big Thing
• Zero Trust