Free «Database Security Protection of Sensitive Data in an Organization» Essay Sample

There has been sensitivity to internal data losses or leakage from companies to the outside world. A wide range of information cases have resulted into loss of millions of dollars and other indirect costs and a subsequent damage to brands and reputations of organizations. There are a number of incidents that have occurred such as sale of customer account information to unauthorized parties and loss of products such as laptops, backup materials, and mobile devices. These incidents mainly occurred as a result of actions of internal users and trusted parties and most have not been under intentions.

Since data is considered as one of the most valuable assets in an organization, protection and making it inaccessible to public domain is significant. Accomplishment of this can be achieved through implementation of data loss preventions and controls that include a combination of strategic, operational, and tactical procedures (National Research Council, 2007). In order to implement data loss prevention measures, organizations need to understand the nature of data that is considered sensitive and where it is located: both internally and with other parties. It is also significant to know the destination of the data in the organization.

This paper provides an exploration of challenges faced by organizations with respect to business drivers and regulatory measures that can be put to protect the data. It also involves a share of point of view and methods of preventing data loss, along with insights and lessons from experiences of some of the organizations that have implemented data loss prevention measures.

Challenges in Managing Sensitive Organizational Data

There are great challenges encountered in managing loss of data due to many reasons that result into data loss. There is no specific solution or tool that can be used to address pressing issues that are posed by data loss in organizations. In order to ensure these challenges, a comprehensive solution involving people, processes and technology were addressed.

There are recurring causes of data loss in organization. These themes often include reasons for loss of data, specifically due to personal intentions (UNEP (Nairobi), 2006). It has been observed that employees do not efficiently understand or ensure that sensitive data is protected. The challenges associated with processes are that classification of data and acceptable use of policies do not include controls that need to be implemented for securely delivering sensitive data to the other parties. The protection mechanisms also do not articulate, whether sensitive information is sent to home computers, or personal data accounts.

Present remote access tools are not flexible to assist in improving the business, resulting into the use of alternative techniques such as the use of email accounts that enable working from home at remote areas.

It has been reported that an average total cost per data breach has increased to $7.4 million or $200 per record lost.

In addition, there is observable increase in the number of leaks every year. This is expected to continue to increase considerably over the next several years. But the right statistics on this phenomenon are not easy to get, and the data available do not represent the exact condition because there are more leaks and data breaches that are not reported.

There is no definite number that can be reported with exactness because there is no specific repository for incident tracking, and these data only includes information that is availed to the media for tracking of incidents that reach the media or that were reported by employees in an organization.

There are several incidents where high costs have been experienced and extreme media attention sought for affected companies. For instance, a web technology organization published a message that it had discovered a plan to gather user passwords, possibly through phishing. This resulted into a consequence on a number of users such as those within the US Government officials, politicians in China, officials in other Asian nations, military personnel, and journalists.

A public health organization was compelled to notify 1.7 million patients, workers, contractors and vendors regarding theft of electronic records files that had personal information, health information regarding patients as well as employee medical data. The data lost included Social Security numbers, personal data such as names, addresses and medical data.

The table below shows the costs of a breach in three samples of companies.



Company A: Low-profile breach in a non-regulated industry

Company B: Low-profile breach in a regulated industry

Company C: High-profile breach in a regulated industry

Discovery, notification and response

Calls, call center and discount product offers




Loss of employee productivity

Employee diverted from tasks




Opportunity Costs

Customer churn and inability to get new customers





Asking to put the money aside in case breaches are discovered




Table 1. The costs of breach, broken down for three sample companies

General Guidance for Protection of Confidential Information

There are a number of specific areas where particular attention is significant in protection of information’s confidentiality in a Department. The general procedures that Departments need to follow include establishment of policies and procedures that ensures personal data is protected by knowing the nature of the data held; where it is held and the consequences that can result if the data is lost or stolen. With this in mind, as a first approach Departments need to conduct an audit of determining the types of personal information within the organization and listing the information repositories holding personal information and their location (Quigley, 2008). Risks related to storage, handling and protection of this data need to be included in the risk register of the Department. This is followed by establishment of whether the security measures are appropriate relevant to the data being stored while also considering the guidelines within the document.

Access to personal information centers and server rooms for hosting hardware and software, on which personal information is stored, need to be restricted to those members of staff that have the authority to work in those areas. This should involve the use of swipe cards and pins technology within the rooms under consideration; the system should be able to record that accessed the room and there should be regular reviews of access records and procedures by management on regular basis.

Systems, which are no longer being used or those that are not actively used and that contain personal information, should be removed from where such access is not necessary or cannot be accounted for.

Passwords for accessing PCs, applications, and data documents should be strong enough to prevent cracking or guessing attacks. The passwords should include numbers, symbols and lower and uppercase letters. The password should be at least 12 characters long, but the minimum of 8 characters. Passwords that use repetition, dictionary words and sequence of letters, usernames, and biographical information like names or dates have to be avoided. The passwords have to be changed on a regular basis.

Departments should also have the right procedures for evaluation of requests from other institutions for access to personal data in its possession. The procedures should be able to assist departments in assessment of justification of personal data under Data Protection Acts. There is also the need for departments to ensure that access by staffs of individual data for analysis or research uses is totally justifiable and according to proportion (Smith, 2004).

Employees, who have retired, transferred from the department and  resigned, need to be excluded from mailing lists and access control lists. The right changes need to be implemented during transfer of staffs to other assignments within the organization. The departments have the responsibility of ensuring that procedures are put in place that supports this to provide notification to the right people in a timely manner.

Contractors, consultants or external providers under the management of the departments need to be subject to strict procedures with respect to accessing individual data through formal contract in line with requirements of Data Protection Acts. The terms of contract and the activities conducted should be based on review and audit to be assured of compliance.

Departments need to consider an up-to-date Acceptable Usage Policy with regards to use of information and Communication Technology such as telephones, mobile phones, facsimile, emails, intranet, internet as well as remote controls by the staffs. This policy needs to be understood and signed by every user of this technology within the department.

Audit committees within the departments in consultation with secretaries in the work of internal auditing should ensure that the program includes the right coverage by the IAUs of the areas within the institutions that are responsible for storage, access to and protection of individual information. The specific focus of any assessment by the IAUs would involve assessing the adequacy of the systems of control designed, created and operated in the areas to ensure risks of breaching data protection, while requirements are reduced. Risks related to storage, handling or protection of individual data should be incorporated into the Risk register and risk assessment of the department. In addition, external audits of various aspects of protection of data in the organization may be carried out on a particular periodic basis under the leadership of Office of the Data Protection Commissioner.

There is also the need to put in place the right procedures with respect to disposal of files such as paper files and electronic files that contain personal information. This should be able to create awareness in the departments with regards to legal requirements of the National Archives Act, 1988. It should involve consideration that incoming emails that are of significant interests are documentable records under the Act. There is also the need to put special procedures with regards to secure disposal of electronic equipment such as storage media at end-of-life. This can be done by use of degaussers, erasers as well as devices for physical destruction.

Customer service documentation should involve the procedures for holding customer data and the methods with which it will be used. Privacy of websites should be reviewed regularly to account for any enhancements, while additional practices that include the collection of individual information.

Security systems can also be enhanced by recruiting its staff that should be coached and trained before being able to access secretive information or personal files. The staff should ensure that callers or wrong persons are not allowed to view individual information, whether it is written on paper documents or data displayed on PC monitors.

Staff should be aware that PCs are logged off when not being attended to for any particular period of time. If possible, staff should not be allowed to save files in the local disks. Users should only save files to their required network drive.

Control of Access to Sensitive Information

Mobile working has continued to be on the increase and e-working services across public service. As a result, the need from staff to access the same systems remotely the systems that are accessible from the office is on the increase. This results into challenges with regards to personal sensitive data, thus, there are certain guidelines that must be followed.

In the first case, all individual and sensitive information kept electronically need to be stored within a department server room. Data that is available through remote access does not need to be copied to clients’ computers or other storage devices such as laptops, flash disks that are prone to stealing or loss.

In addition, when accessing sensitive data remotely it has to be done via safe encrypted link such as IPSEC or SSL with the right access controls in place. There should also be efficient security and access controls such as effective compulsory use of strong passwords and secure authentication based on two factors.

Data that is accessed in this manner should not be copied from the central location to the remote machine. It is also necessary for departments to utilize technologies that create automatic deletion of non-usable files that may be available on remote machines by the operating systems.

Software that can be Bought to Protect Hacking of Databases

Email and other individual productivity software such as spreadsheets are important business tools that are in use in all departments. On the other hand, departments have to consider total care in using the software where individual data is concerned. Specifically, unencrypted email does not need to be used to transmit any information of individual or sensitive nature. Departments involved in the use of email during transfer of such data have to ensure that sensitive information is encrypted by use of file encryption or through a secure email facility that will result into encryption of the data being sent. It is recommended that the strongest encryption methods are used and departments need to ensure that the emails are sent to the right recipient. Interoperability can be ensured and key management costs avoided by paying particular attention to any solutions proposed for this purpose.

Departments also need to consider implementing solutions that scan emails and attachments for words that may indicate the existence of personal data and if possible prevent its transmission. In the case where sensitive data is held on applications and data bases, there is need to include additional controls that ensures the data is not copied to personal productivity software where there is no security or access controls, or the possibility of bypassing the security controls.


From involvement with a number of clients with their data loss prevention programs, there are certain practices that have been identified. These include determination of goals and objectives for data loss, prevention program upfront by ensuring that data loss, prevention programs in order to accomplish strategic business objectives, and bring benefits in return for costs incurred. Clear goals and objectives focused on the company mission should be established upfront for creation of a base for the programs.

It is also significant to ensure that all aspects of the people, process technology are addressed. A defense-in-depth approach should be used with elaborate roles and responsibilities for employees concerned. It is also recommended that executive support is established that understands participation and there should be company wide support and involvement from various units of business operations to develop a more user-friendly transition aimed at providing business input at major stages.

There are also some tips that assist in minimizing data loss in an organization. One of these tips is to implement management of data lifecycle. The main challenge that has been experienced by organizations with regards to data protection is improper definition, classification and protection of sensitive information during creation. Lack of proper definition, classification and storage at the starting point can propagate throughout the organization; thus, making it difficult to protect in later stages. In addition, compliance with policies for retention of data is a challenge that results into an increase in the amount of data that should be managed and protected.

Furthermore, unauthorized devices should not be allowed on work. These include allowing non-corporate assets to internal environment that can result into a number of risks. An example of such a risk is access to company’s premises and internal network resources by unauthorized parties and connecting individual devices to corporate network. Personal devices are most likely less protected and do not have endpoint security controls.

It is also recommended that copying sensitive information to removable media should not be allowed. This can be done by configuring endpoints to disable writing to all retrievable storage facilities and content-aware endpoints data loss prevention techniques need to be included to prevent copying of sensitive data from the source. Mobile equipment such as laptops, cell phones and PDAs must have full disk encryption; the company should be able to erase them when they are lost or stolen.


What Our Customers Say

Get 15%OFF   your first custom essay order Order now Use discount code first15
Click here to chat with us