You are to develop a database security policy for a small organization that collects and analyzes evaluation data for a variety of non-governmental organizations. The collected data includes both anonymous data and personally identifiable information such as names, dates of birth and social security numbers. Each employee is assigned to a certain number of evaluations. Employees access the data through desktop applications and/or intranet web applications while clients have restricted access to their data through another web application accessible through the Internet.
Guidelines
• A security policy describes what it means for an organization to be secure.
• A security policy is an agreed upon document that executive management uses to communicate its security goals and objectives. Thus, the language should be appropriate for all employees.
• A security policy generally stems from an asset inventory phase, in which the organization's assets are identified and evaluated, followed by a risk assessment phase, in which threats targeting those assets are evaluated. The security policy describes what the organization needs to secure, specifies the level of security that is needed and elaborates a strategy on how the assets will be protected.
• The goal of such a policy is generally to protect valuable and/or confidential information from unauthorized access, but also to limit legal liability and prevent waste or inappropriate use of organization resources. Phrases such as "must", "should", or "will" are used to establish baseline expectations for behavior by employees and to authorize audits and monitoring.
• The security policy is composed from high-level statements that describe a secure state for the organization assets. A security policy does not include best practices or recommendations, so details about how to implement the policy are typically included into supporting documents (standards and procedures)
• A security policy typically includes:
o Scope (1 paragraph)
o Goals (1 paragraph)
o Information classification (1-2 paragraphs)
o Actual requirements: as an itemized list. Specifically, database policy statements could address:
- Roles and responsibilities: Roles at the organization level could include application developer, database user, database administrator, database owner, application owner etc. Responsibilities should be designated.
- Database access types
- Authentication and authorization - a password policy should be defined or referenced
- Use of encryption (files, data in transit, backup files), managing encryption keys
- Backups and recovery (weekend or weekdays, on-line or off-line, incremental or full, etc.)
- Audits (auditor, frequency of audits, what is audited)
- Use of multi level security
- Use virtual private databases
- Database servers hardening (firewall/intrusion detection system, secure configuration, patch management, vulnerability assessment)
- Change management (ensure privileged accounts are documented, administered, monitored, and reviewed)