Incorporate database security into security strategy
Enterprise database security is highly complex, and databases are a primary source of critical information assets such as customer data. Security strategy should focus on minimizing and reducing security risks that contribute to an organization’s overall risks and to achieve compliance with various rules and governmental and regulatory requirements (Freund & Jones, 2013). Security strategy should also address most likely risk scenarios such as loss of database access or a network intrusion event. This is particularly important for organizations in regulated industries such as finance and healthcare. In the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) provide the foundations of information security requirements for hospitals, insurance carriers, health data clearing houses, and businesses that support these organizations (Regan, 2009). Information security strategy and a robust information security program enables healthcare organizations to efficiently deal with the regulatory burdens from HIPAA and HITECH. This is particularly critical for healthcare databases.
A strategy program for database security risk should encompass active risk management for new technologies and the use of risk transfer tools such as data breach insurance. Active risk management enables an organization to align information security risk with business objectives and to plan for potential issues such as a data breach where the use of a cybersecurity insurance policy could transfer some of the risk from a data breach to an insurance carrier (Gordon & Loeb, 2006). In the event of a data breach, cybersecurity insurance could cover the cost of a forensic investigation and notification in the event of data exposure. Cyber security policies contain pre-defined terms and conditions. Part of risk analysis should be working with insurance brokers and carriers to understand which risks are covered and limits of these risks.
Finally, the use of frameworks may facilitate better analysis of newer technology risk. Choice of framework depends on the scope of risk analysis, and multiple frameworks may be employed in coordination. For instance, a combination of information security and privacy frameworks may be used to address the lifecycle of data in a new database application.
References
Freund, J., & Jones, J. (2013). Measuring and managing information risk: a FAIR approach. Butterworth-Heinemann.
Gordon, L. A., & Loeb, M. P. (2006). Managing cybersecurity resources: A cost-benefit analysis. New York: McGraw-Hill.
Regan, P. M. (2009). Federal Security Breach Notifications: Politics and Approaches. Berkeley Technology Law Journal, 24(3), 1103-1132.


