Page 441 - Using MIS
P. 441
Q7 How Can Human Safeguards Protect Against Security Threats? 409
Q6 How Can Data Safeguards Protect Against
Security Threats?
Data safeguards protect databases and other organizational data. Two organizational units are
responsible for data safeguards. Data administration refers to an organization-wide function
that is in charge of developing data policies and enforcing data standards.
Database administration refers to a function that pertains to a particular database. ERP,
CRM, and MRP databases each have a database administration function. Database adminis-
tration develops procedures and practices to ensure efficient and orderly multiuser process-
ing of the database, to control changes to the database structure, and to protect the database.
Database administration was summarized in Chapter 5.
Both data and database administration are involved in establishing the data safeguards in
Figure 10-13. First, data administration should define data policies such as “We will not share
identifying customer data with any other organization” and the like. Then data administration and
database administration(s) work together to specify user data rights and responsibilities. Third,
those rights should be enforced by user accounts that are authenticated at least by passwords.
The organization should protect sensitive data by storing it in encrypted form. Such en-
cryption uses one or more keys in ways similar to that described for data communication en-
cryption. One potential problem with stored data, however, is that the key might be lost or that
disgruntled or terminated employees might destroy it. Because of this possibility, when data are
encrypted, a trusted party should have a copy of the encryption key. This safety procedure is
sometimes called key escrow.
Another data safeguard is to periodically create backup copies of database contents. The
organization should store at least some of these backups off premises, possibly in a remote loca-
tion. Additionally, IT personnel should periodically practice recovery to ensure that the backups
are valid and that effective recovery procedures exist. Do not assume that just because a backup
is made that the database is protected.
Physical security is another data safeguard. The computers that run the DBMS and all de-
vices that store database data should reside in locked, controlled-access facilities. If not, they
are subject not only to theft, but also to damage. For better security, the organization should
keep a log showing who entered the facility, when, and for what purpose.
When organizations store databases in the cloud, all of the safeguards in Figure 10-13
should be part of the cloud service contract.
Q7 How Can Human Safeguards Protect Against
Security Threats?
Human safeguards involve the people and procedure components of information systems. In
general, human safeguards result when authorized users follow appropriate procedures for sys-
tem use and recovery. Restricting access to authorized users requires effective authentication
• Define data policies
• Data rights and responsibilities
• Rights enforced by user accounts
authenticated by passwords
• Data encryption
Figure 10-13 • Backup and recovery procedures
Data Safeguards • Physical security
