Social Network For Security Executives: Network, Learn & Collaborate
Requirement for solutions related to Database security
A CISO should define the requirement for solutions related to Database security by first understanding the business and threat environment and decide on the most applicable threats and security parameters while balancing performance of application and security.
( Read more: 5 Best Practices to secure your Big Data Implementation)
The solution requirements should address fundamental security issues viz. Availability, Authenticity, Integrity and Confidentiality. While defining the requirement, one needs to decide what are the information that need to be protected from the fundamental security issues and accordingly select the relevant databases for which security solutions need to be identified. A comprehensive risk assessment needs to be carried out to define the potential security threats holistically in terms of internal or external, intentional or accidental, physical or logical etc. Once the threats are identified, one needs to define the criticality of each threat from business impact perspective post which analyze various vulnerabilities or points/modes of failure. Further analysis to be done to assess probability of occurrence based on the current protection controls already in place and what are the current detection capabilities. Based on this analysis, one needs to arrive the risk priority rating which will actually become the basis for the requirements criteria for database security.
Besides looking at risk based approach, it’s equally critical that one needs to understand and identify if there are any requirements from statutory, regulatory and contractual compliance perspective (eg. PCI standards - Encryption, DAM-Database Activity Monitoring)
Key parameters based on which a CISO should choose a vendor for the same
( Watch more : Attacks on Smart TV and Connected Smart Devices )
Top Questions to ask vendor for evaluating the offering/Vendor Evaluation Checklist
Top mistakes to avoid while selecting a vendor
Selecting vendor without checking the compatibility of their solution with the database vendor. This will sometimes lead into issues before or after implementation. This aspect needs to be thoroughly checked and evaluated before selecting vendor.
- By A.Raja Vijay Kumar, VP & Global Information Security Leader, Genpact