Tom Gaffny, executive vice president of fundraising and database firm Epsilon in Wakefield, Mass., suggests eight database security questions that those responsible for security in an organization should ask themselves.
- Are we only storing the data we need for our business use? Storing unnecessary data is both expensive and just one more potential security breach
- Do we have an ultimate data owner for each system we support? Having two or more people who share ownership for a database system invites chaos.
- Do we have documented audit trails surrounding our data access? Such a trail should specify who granted access to whom, for what data and at what level. It should also clearly specify who is allowed to do what with data.
- Have we developed a data classification scheme, and why? Classifying data helped in determining how long different types of data should be retained on backup tapes.
- Do we encrypt everything that leaves the secure data center? The most secure organizations encrypt everything, even laptops.
- Have we recently undergone a security audit by an independent authority. An independent party can help identify weaknesses that are overlooked.
- Do we back up our data often enough, and are encrypted files or tapes stored at a remote location? It's common sense.
- Have we kept our employees completely informed about policies and procedures they need to follow to protect our assets?