Guideline 31. Security in database systems

Submitted by Anonymous (not verified) on Tue, 07/10/2018 - 09:46

The institution incorporates security measures in its database systems, especially those storing critical data.

This involves: database administration procedures and practices; system accounts, privileges and roles; identification of users of applications; and database infrastructure.

Guideline code

ICT_04000

Mechanism

In elaborating and implementing the database security plan, the ICT unit should:

Structure the plan around three main aspects: the data requiring protection, the rationale for protecting it and the protection mechanisms applied;
Establish database user accounts which are separate from those used in business applications, and particularly for when applications are accessed anonymously. These accounts should have the minimum privileges required to carry out the operations, and database administrators and administration accounts should be strictly monitored;
Include security measures in the database infrastructure, specifically concerning user authentication mechanisms, server protection, DBMS configuration and vulnerability control and communications encryption (if necessary for sensitive data);
Establish and audit development practices for applications accessing databases, to reduce the risks concerning applications and backend systems.

Parent

B. Key Technologies

Structure

The ICT unit should develop and implement a plan to ensure security in database systems; in addition to general database security issues, the plan should take into account data privacy and data protection regulations which impose compulsory data security measures for protected data.
The management should define relevant duties and responsibilities to enforce security policies in database systems.
The contracts administration office should include these internal regulations and specifications in requests for proposals and contract documents.
The ICT unit should ensure that the database security measures are included in disaster recovery plans, especially in backup mechanisms.
Security mechanisms for database systems should be based on the institutional information security management framework and on international standard ISO/IEC 27002:2005 Information technology – Security techniques.

Tags