I. Data in Modern Day Enterprises
Enterprises today rely on data to execute daily operations, conduct efficiency analyses, gauge market trends, and obtain insights to gain a competitive advantage. As data continues to play an increasingly critical role in streamlining businesses and making enterprises more cost-effective, it is being viewed as an indispensable asset. Like all precious assets, information assets must also be used and secured properly. Successful enterprises must therefore enact rules and put in place policies which safeguard information assets.
Fatimah Aljumah, Upstream Database Services Division, Saudi Aramco, Dhahran, Saudi Arabia
Fatimah will be speaking at the IRM UK Enterprise Data & Business Intelligence and Analytics Conference Europe 18-22 November 2019, London
She will be speaking on the subject ‘Data Security Policies for Modern Enterprises‘
The impact of not securing data can be particularly troublesome for enterprises. In some cases, it may cause enough financial damage to become an existential threat for an enterprise. This is important enough to be addressed by governments. The European Union passed General Data Protection Regulation (Regulation 2016/679) , with fines up to 4% of turnover or 20 million euros for data protection infringements .
This paper covers the essentials of what is needed to make an effective data security policy for enterprises. It discusses the properties of data which are relevant to security, key principles which must be considered, and formulating policies to fit your organization.
All policy makers should understand their organization’s data, their organization’s mission, data management principles, and formulating relevant and practical policies and standards.
III. Data Characteristics
Data is an asset which is produced and consumed by nearly every business processes within an enterprise. It is not uniform in its acquisition, creation, or usage. There are several attributes and features of data such as quality, integrity, timeliness etc. However for the purpose of determining the correct data security policies the most relevant data characteristics are discussed below.
Following are some key characteristics which should be paid special attention to when forming data security policies.
A. Data Classification
Data must be classified properly in order for data protection measures to be effective. This is essential for effective policy-making, and subsequent policy enforcement. Not all data are equivalent in importance and sensitivity to an organization. The objective of having a pre-determined data security classification is to ensure that appropriate security mechanisms to control information from being leaked, manipulated or becoming unavailable .
Typically, organizations have the following data classifications that differentiate between data sensitivities:
- Public: Information which can be published and shared freely inside or outside the organization. It can be put on corporate websites etc.
- Company Internal: Information can be shared freely within the organization but not outside.
- Confidential: Information is restricted and its use must be authorized by the data owner or proponent and its use limited to the given permission only.
- Strictly Confidential: Highly sensitive information which can have high financial or legal implications to an organization if the information is not protected or breached. The highest caution should be taken with this security classification.
Employees must be aware of each security classification, and know how to apply the proper classification to each document, e-mail, or data type.
B. Data Storage and Devices
Data storage media and devices which collect and access data must be considered for securing data. When dealing with mainframe computers accessed by dumb terminals, it was relatively easy to secure where the data resided and the devices which accessed it. In the modern world, data is accessed from desktops, laptops, mobile devices, and exchanged between servers.
It can be stored on any of the devices accessing it, or on servers and storage media designed to run modern day databases, document repositories, and shared network locations. Furthermore, corporate data may not necessarily reside on premise for an enterprise, but could be stored in the Cloud by a data service provider.
Today’s data architecture is vastly different and far more complex than what it was just a decade or two ago. Different storage media pose different risks, and policies adopted by enterprises must address all of them. A data security breach is mostly likely to occur from the most vulnerable device or storage medium. Once the information is leaked, it will not matter where the leak occurred; therefore, all storage and devices must be covered in a comprehensive data security policy.
C. Data Uses
Data is used for several different purposes within an enterprise. In most complex enterprises, different departments and organizational units rarely act alone. Modern day organizations have business processes which involve more than one organizational unit, and there is data flow between organizations to facilitate and execute workflows. Data security policies must ensure that data is made available to the right entities, and that the entity consuming data takes proper care and precaution when dealing with data belonging to another organization.
IV. Key Policy Principles
A comprehensive data security policy must contain the following key principles. The principles listed below are general and do not tend to change over time. They state essential truths which should be considered by enterprises wanting to secure their data .
A. Acceptable Use
Provide employees with clear unambiguous guidelines on what is appropriate use of Company resources. Employees are usually required to formally sign a document acknowledging acceptable use policies before they are given access to systems. The SANS institute describes this as “rules in place to protect the employee and Company. Inappropriate use exposes Company to risks including virus attacks, compromise of systems and services, and legal issues.” . The policy covers electronic and computing devices and information assets, encouraging good judgment and use in accordance with stated guidelines .
B. Account and Access Control
Individuals who wish to access corporate systems are granted an account secured by a password. They gain access to corporate systems by using the account to log into them. The account has the privileges required by the individual to gain access to the information assets he or she needs to conduct his business. It is therefore imperative to maintain control over accounts, and monitor them.
Accounts are how we determine the level of access given to a user, and their usage of information assets. Therefore, before gaining access to an account, an individual must sign a document whereby he acknowledges that he will use the account for Company business and protect the account by using a password which is in line with corporate policy. Data security policies must stipulate the proper use of authentication methods used to verify the identity associated with an account.
C. Email & Communication
Emails are a big part of most employees’ workday. It is the selected way for business related communications in nearly all modern enterprises. Companies must clearly state acceptable and tolerable behavior when dealing with corporate emails. This includes ensuring that emails are not used to spam, send unauthorized marketing content or solicitation emails, or send insulting or discriminatory messages . Companies can also state appropriate usage guidelines like passing email address at conferences or corporate events, or signing up for newsletters that encourage professional growth .
D. Remote Access
Global enterprises have a business need to allow their employees to access their systems remotely. Opening internal systems to access from remote locations is risky, therefore, enterprises must define proper methods for accessing systems when outside the Company premises.
The policy aims to define rules which minimize the risk when connecting to corporate network from any remote access host. The damages of unauthorized individuals gaining access could be loss of intellectual property, and sensitive information which can damage public image or result in fines and liabilities .
E. Incident Response
Incident Response refers to clearly defined steps and procedures that will be actioned in case of a data security breach. Nobody wants a breach but they have to be prepared in case one occurs. Without a predefined plan, your response will be delayed. It is good policy to identify a team that will respond effectively.
“The key to mitigating risk of a data security incident is the existence of an Incident Response plan. The plan must not only exist but its location must be known and the plan must be accessible.” 
F. Business Continuity
Business Continuity and Disaster Recovery planning are used to restore services and recover from outages. Systems will inevitably go down and most organizations have plans to make sure mission critical apps are available. Business Continuity is the “capability of the organisation to continue to deliver products or services at acceptable pre-defined levels following a disruptive incident.” 
For data security policy, the idea is to ensure the data is available when systems are switched from primary to backup. Furthermore, user access to data must be identical when standby systems take over.
G. Managing Patches
Vendors regularly release patches for their software. Some patches fix bugs related to functionality while others are security related. If it is a security related patch, there must be rules in place which mandate its application based on the severity set by the vendor. Policies should dictate that critical patches be applied in a much shorter timeframe than those of lower importance.
Policies need to be put in place to ensure that there are standards and procedures to apply software patches or releases related to data security. These standards and procedures include informing software development support personnel to ensure that all mission critical applications are tested and any modifications made in time to close any loophole which can cause a data security breach.
“Encryption is the process of encoding (or scrambling) information so that it can only be converted back to its original form (decrypted) by someone who (or something which) possesses the correct decoding key.” 
Encryption is typically referred to as the last line of defense in a data breach. If a hacker is able to gain access to information, then encryption will keep him from making any use of the information. The data will be scrambled, and therefore, rendered useless to the person who obtained unauthorized access to the information asset.
As a general rule, encryption must be used to protect strictly confidential information especially when transmitting data over networks to protect against any risk of interception. “Where strictly confidential data is stored in public, cloud based storage facilities the data must be encrypted prior to storing to ensure that it is not possible for the cloud service provider to decrypt the data.” 
I. Monitoring & Compliance
It is important to remain vigilant for data security. Monitoring takes on two forms, where the first is to have an operations center which checks for any unauthorized access to networks or data, and the other is to ensure compliance with the policies put in place to protect data.
Data security personnel must watch out for any data breaches and take action as early as possible. This responsibility typically lies with security operations centers which monitor networks and unusual activities round the clock.
A third party audit conducted regularly is highly recommended. “All policy compliance processes have one thing in common, however: an audit. Without an audit process of some kind, there’s no mechanism for assessing compliance.” . The audits ensure that the policies which are in place are being followed.
V. Formulating Policies and Standards
Each of the principles stated above are true and correct in their own right. However, they must be adapted according to the nature and tolerance of an enterprise. Each of these should be evaluated in the context of an organization and then the appropriate policy crafted. Following are a few select examples when dealing with adapting policies for an organization:
A. Acceptable Use Adaptation
Customizing policies for acceptable use should consider factors such as:
- Personal Use: Decide on the level of personal use of Company systems. For instance determine if your organization is comfortable with allowing employees to conduct personal business such as planning vacations, personal banking, and other personal matters. Companies can choose to impose time limits on personal use.
- Downloads: Decide on allowing employees to download content from the internet such as torrent sites. This policy can also determine if employees can download business related utilities and their safe use.
- Copyrights: Policies must prohibit any violation of copyrights.
B. Account and Access Control Adaptation
Customizing policies for Account and Access Control should consider factors such as:
- Password Policy: Decide on the length and complexity of passwords. State the maximum number of days before passwords must be changed, and whether they can be reused.
- Two Factor: Decide on the usage of two factor authentication for personal or privileged accounts. The use of two factor authentication for accounts dealing with confidential data is recommended.
- Data Access: Access to data, other than data classified as public, should be given through role related to job functions, and not directly to individuals.
- Log Privileges: Decide on keeping a full and accurate log of all privileges granted to accounts. It is recommended to track all changes to accounts accessing confidential data.
C. Email & Communication Adaptation
Customizing policies for Email & Communication should consider factors such as:
- Usage Policy: Company business must be conducted using company email.
- Personal email: Decide on allowing access to third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc.
- Confidential Data: It is reasonable to expect employees to email documents to work on at home. However, no confidential data should be emailed to personal accounts.
- Privacy: Any communication or email sent using company email is company property and may be monitored. Employees have no privacy over any message sent via company email, stored on company servers or sent via company device.
D. Remote Access Adaptation
Customizing policies for Remote Access should consider factors such as:
- Additional Protection: Mobile devices used to access company networks remotely must use strong PIN codes. Laptops or desktop computers must use two factor authentication.
- VPN: Decide on mandating the use of VPN when accessing remotely.
- Device Control: Company will reserve right to wipe data on devices accessing its network remotely.
- Approved Devices: All devices used for remote access must be preapproved. Employees sign an agreement to ensure their security software is up to date.
- Lost: Loss of any approved device used for remote access must be reported immediately.
E. Incident Response Adaptation
Customizing policies for Incident Response should consider factors such as:
- Team: Incident Response team must be formed and trained to respond to incidents. The team should be composed of members from various departments who may be needed for a comprehensive response. This may include professionals from Law, Finance, Public Relations, in addition to IT. The team should be chaired by a senior manager or director.
- Authority: Decide on extended powers to be given to the incident response team temporarily. Enough power should be delegated to deal with all aspects of an incident.
- Post Incident: A thorough investigation must be conducted to determine the root cause. Sufficient system logging should be in place to support a forensic investigation.
F. Business Continuity Adaptation
Customizing policies for Business Continuity should consider factors such as:
- Mission Critical: Identify mission critical applications that are needed for an enterprise, and ensure that data access is available when an outage occurs. In an outage applications are run from a backup site, and data security must be synchronized between the primary and backup sites to ensure proper data access. Therefore, policies must be in place to make sure that data access is synchronized as needed.
- Test Drills: For any contingency plans, it is necessary to ensure they are tested. They must not be tried when an outage occurs. Policies must set the right number of drills that an enterprise feels is necessary for ensuring that business continuity plans are adequately tested.
G. Managing Patches Adaptation
Customizing policies for Managing Patches should consider factors such as:
- Time Period: Decide on the appropriate timeframe to apply security patches. Software vendors release patches for their software. Any data security patch should be applied in time. Organizations must decide on the appropriate timeframe to apply these patches. Policies may differentiate between the timeframe depending on the criticality of the patch. Critical patches must be applied immediately, whereas lower priority patches may be applied monthly or quarterly.
- Classification: Data classification may be taken into consideration when consideration the patch cycle. Servers which hold Confidential or Strictly Confidential data may have a much shorter timeframe between patches, than servers which hold non-critical data.
H. Encryption Adaptation
Customizing policies for Encryption should consider factors such as:
- At Rest: Encryption at rest protects against media theft. Companies can assess the threat of having their servers physically taken, or not wiped clean before de-commissioning them. Companies should also decide on the need for encryption especially when storing the data on the cloud. They can determine if encryption at rest is needed for extra protection.
- In Transit: Encryption for data in transit is a must. This must be addressed by companies, and point to point communication which carries customer and company data must be protected. Hackers usually try to penetrate networks, and encryption ensure that any unlawful access gained to data will render the data useless.
- Accessing Classified Data: Devices which access Confidential or Strictly Confidential data must use the most secure protocols with encryption enabled.
I. Monitoring & Compliance Adaptation
Customizing policies for Monitoring & Compliance should consider factors such as:
- Audit: A third party audit is mandatory for enterprises to ensure compliance with policies. Enterprises must decide on the frequency of the audits. Audits may be done more frequently for compliance for business areas which deal with Confidential or Strictly Confidential data. This includes databases and servers holding confidential data.
- Monitoring Operations: Enterprises must remain vigilant at all times, and this usually means setting up a Security Operations Center which monitors for breaches or unusual behavior. Security professionals establish patterns of data usage and behavior and quickly spot any unusual activity to prevent data leakage. Organizations must decide on the authority delegated to operations centers to stop applications which are found in violation, or prevent any software from going to production if it does not meet the necessary security standards.
Policies and procedures used to secure data for enterprises must be reviewed for relevance and completeness regularly. Technology changes over time, and an enterprise will change the software, hardware, and its IT practices over time. It is therefore important to ensure that the policies and procedures in place reflect business accurately, and that policies remain useful and relevant.
I would like to thank Paul Seaby for his discussions on this paper.
Fatimah Aljumah is a Data Architect with Saudi Aramco working in the Upstream Database Services Division. She has over 8 years of experience working with large scale enterprise data models. She has expertise in databases and has worked on several aspects of data management including enterprise level data security and data quality. Currently, her responsibilities include designing and implementing enhancements to the Upstream oil and gas data models and overseeing data security implementation. Fatimah is also involved with data engineering to support advanced analytics. She has a Bachelor of Science in Computer Science from University of Manchester.
References European Commission. https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en , retrieved on September 17, 2019.
 IT Governance, “GDPR Enforcement and Penalties”, https://www.itgovernance.co.uk/dpa-and-gdpr-penalties, retrieved on September 17, 2019.
 Griffith University “Information Security Classification Framework” . 15 January 2019. Doc URL: https://policies.griffith.edu.au/pdf/Information Security Classification Framework.pdf
 Paul Seaby, “GRC Guidelines for PE Data” unpublished.
 The SANS Institute. “Acceptable Use Policy”, https://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy, retieved on Sep 18, 2019
 Workable. “Corporate email usage policy template”, https://resources.workable.com/email-usage-policy-template, retieved on Sep 18, 2019
 The SANS Institute. “Remote Access Policy”, https://www.sans.org/security-resources/policies/network-security/pdf/remote-access-policy, retieved on Sep 18, 2019
 MAPFRE Business Continuity Policy, https://www.mapfre.com/corporate/images/business-continuity-policy_tcm885-139156.pdf, retrieved on Sep 19, 2019
 RVC University of London, “IT Encryption Policy”, https://www.rvc.ac.uk/Media/Default/About/LISD/documents/itpol003-it-encryption-policy.pdf , retrieved on Sept 20, 2019
 Tim Erlin, “Security Fundamentals: Policy Compliance”, May 18, 2018, https://gcn.com/articles/2018/05/18/policy-compliance.aspx, retrieved on Sep 20, 2019
Copyright Fatimah Aljumah, Upstream Database Services Division, Saudi Aramco