Verified Document

Database Security Plan And Requirements Definition For Research Paper

Database Security Plan and Requirements Definition for a University Department The database security plan and requirements definition were developed. The plan included, at the outset, the inclusion of major stakeholder at the University and described their roles in initiating, implementing, and maintaining the plan. Individuals responsible for daily and other periodic tasks were developed. A major consideration in planning the security was the policy that governs granting of access. The need-to-know, combined with the users' roles provided the guiding principles. Physical security, backing up of data and the periodic exercise of restoring data were not overlooked in the plan. Plans were set in place to ensure that attention was paid to the dynamic nature of the document since the security environment must continually change in order to discourage system attackers and to keep pace with the rapidly changing technology.

The Business Environment

We are an entrepreneurial business department in the faculty of engineering of a large accredited university. The entrepreneurial nature of this department derives from the newly established Internet-based Master's degree program that we were granted permission to launch. The staffing for this program includes four 'program directors', one 'assistant director', four 'full-time professors', one 'full time database administrator', one 'administrative assistant', and 'one clerical assistant' who handles admissions to the program. In addition, part-time instructors, part-time teaching assistants, part-time assistant data-base administrators are employed on a term-by term basis as the student-load dictates. Students must access printed and audio data, prepared by the instructors via the Internet and the specific website designed to accommodate their courses.

Objectives

The objectives of this security plan are (1) to conform as much as possible to the sound recommendations by Marlene Theriault and William Heney (1998) in their description of the development of an Oracle Database security plan, in Chapter seven, (2) to provide confidentiality, integrity and accessibility for the students' data in the database, for the instructors' lecture and examination documents also. The definitions of these terms are as outlined as follows (Ferrari, 2010)

Data secrecy or confidentiality prevents improper or unauthorized 'read' operations on the managed data. When data are related to personal information, the term privacy is used. However, it is important to note that protecting privacy requires some additional countermeasures with respect to those employed to ensure data confidentiality. Data integrity signifies protecting data from unauthorized or improper modifications or deletions.

Data availability signifies prevention and recovery from hardware and software errors due to malicious data can make the data or some of their portions unavailable to unauthorized users. These causes will be eliminated.

Network and Systems

The systems in use in the department are as follows:

1. Desktop computers and laptop computers are available for all professors and administrative staff.

2. Printers available for personal use by all staff in their individual offices.

3. A printer-fax combination for general use

4. A server, type Microsoft Windows linked by Ethernet cables

5. Database, Oracle 11g Enterprise Edition.

Part 1

1. The database security management will be the responsibility of a team led by the database administrator. Other members of the team include the program director, a senior database administrator form the Information Systems Department of the university, one instructor, and me as the chief security officer. The team approach in developing the security plan is recommended by Bond, Yeung-Kuen, Wong Chan (2007).

The team will meet weekly to discuss how to improve the security plan and to assess risk levels. The team will review the plan quarterly and make revisions as necessary in the light of new technology and changes in any regulations at the university or government level. The database security management will be the responsibility of the database administrator.

2. When a security breach is discovered, the administrator will make all attempts to trace the source of the breach using the 'Database Auditing and Intrusion Detection System'. The breach should be reported to the head of the Information Systems Department of the University. If individuals internal to the University are the cause of the breach, then a review of the Circumstance will be made and appropriate reprimands, or more severe punishment will be dealt according to the findings (Bond, Yeung-Kuen, Wong Chan, 2007).

3. The database administrator will be responsible for daily administration of the security policies, including the creation of access according to principle of "need-to-know" or sometimes referred as Separation of Duty. The separation of duty as a requirement such that "each set of user be assigned a specific set of responsibilities and only be permitted to execute transactions...

Security plug-ins will be installed on the servers. Server-side authentication security plug-ins and client-side authentication plug-in will be used. The plug-ins perform authentication on the database server when a user requests to be connected to a database. Authentication determines if the credentials of ID and password are authorized to enter the database. The use of plug-ins provides flexibility and customizability that are usually not available on the standard facility of the operating system (Bustamante, 2008).
Since data will be transmitted to students and by students over the World Wide Web the integrity and security of the data will be maintained by the use of encryption by Oracle Web Service Manager (Bustamante, 2008).

The database in this operation is classified into two categories based on the sensitivity of the data. One category includes critical data relating to students' personal information will be encrypted. The sensitive data that will be encrypted are:

Names, credit card numbers, date of birth, social security numbers, and actions taken on personnel.

Another less critical classification relates to other data such as instructional material but these need not be encrypted. These data will be protected by access controls (Haigh, 1987).

Part 3 User Accounts and Password Administration

The database administrator will be responsible for creating all user accounts including access to accounts on the Web servers by students for their specific courses. These types of access are time sensitive and so they will expire at the end of each school term. At the beginning of each term, the student list will be reviewed by the admissions clerks and the program director to determine which students are eligible to access the Internet classroom. This list is passed to the database administrator who creates the user accounts.

ID and password structures are standardized. The ID will consist of the students' first name initial and last name up to a total of eight letters. Numbers will be used to differentiate when two IDs are identical. Accounts for the instructors and clerical staff will be created by the database administrator. Passwords will be eight digits consisting of alphabet and numbers. Account for the database administrator will be created by the senior database administrator in the University's Information Systems department. These passwords are constructed by Information Systems department for the database administrator, are constructed using a different format from those used in our local department (Ferrari, 2010)

Profile is a set of characteristic that define the user. The current job title of the user must also form part of the characteristics of the user. Consequently those characteristics will also define the role that the user currently plays. It is the role that ultimately determines whether a user has access to certain sensitive sections of the database. As Ting explains (1987, 190), "The proposed user-role-based security model is intended to enhance the overall database security. The model assumes that the user identification and authentication have already been appropriately handled. The criteria for assignment of a profile to an account is based on the answer to the question, "Does the person occupying this role at this time need to know this information contained in this file?"

Part 4 Roles and Privileges

The security model will be a role-based security model. This is a model that will be applicable to this system since there is a web access component to this operation. According to Bustamante, "Role-based security is built on the premise that users are authenticated, which is the process of identifying the user. Once identified, the user can be authorized or, assigned roles and permissions" (Bustamante, 2008, p21).

Bustamate also notes that this model is suited for Web-based applications. In my system under consideration, there is a heavy Web-based application where instructors post notes on the Web to be accessed by students during a specific term.

Object privileges should be granted by the database administrator in consultation with the data security planning team members only after due diligence has been exercised. The object privileges include, 'SELECT, and INSERT, UPDATE, DELETE, and ALL PRIVILEGES'

Part 5 Data Security Operations

When failure occurs it is important that logs are available to provide recovery of the system. Complete logs must be available as the default. There should also be configured for both offline and online backup (See, Narisetty, Chong and Il-Sung, 2010).

Part 6 Data Isolation Policies

Changes made by one operation on the database may become visible to other operations occurring at the same time. The timing…

Sources used in this document:
References

Bond, Rebecca, Kevin Yeung-Kuen See, Carmen Ka Man Wong, and Yuk-Kuen Chan (2007). Understanding DB2 9 Security. Indianopolis: IBM Press.

Bustamante, M., (2008, January 10). Designing Role-based Security Models for .NET. Available: http://www.codeguru.com/csharp/.net/net_security/authentication/article.php/c19575/Designing-Role-Based-Security-Models-for-NET.htm [5 February 2012]

Ferrari, E. (2010). Access Control in Data Management Systems. Varese: Morgan & Claypool.

Haigh, J.T. (1987). Modeling Database Security Requirements. In C.E. Landweir (Ed.) Database Security: Status and Prospects (pp. 45-66). Amsterdam: Elsevier.
Theriault, M., & Heney, R. (1998, October) Developing a database Security Plan. O'Riley Online Catalog Chapter 7. Available: http://oreilly.com/catalog/orasec/chapter/ch07.html. [5 February 2012]
Yeung-kuen See, K., Narisetty, S., Chong, R.F., & Il-Sung, L. (2010, January). DB2 security, Part 2: Understand the DB2 for Linux, UNIX, and Windows security plug-ins. Available: http://www.ibm.com/developerworks/data/library/techarticle/dm-0512chong / [5 February 2012]
Cite this Document:
Copy Bibliography Citation

Related Documents

Database Security
Words: 2424 Length: 9 Document Type: Term Paper

Database Security The focus of this study is that of database security. Databases and database technology are such that play critical roles in the use of computers whether it be in business, electronic commerce, engineering, medicine, genetics, law, education or other such entities requiring the use of computer technology. A database is quite simply a collection of data that is related such as a database containing customer information, supplier information, employee

Database Administration Today in Evaluating
Words: 3489 Length: 11 Document Type: Thesis

Design criteria exist at the levels of the technical, system integration aspects of the database to other systems through XML. This integration is critically important to ensure that the applications created can be effectively used over time and not have any scalability issues. There is also the need for designing the databases at the presentation layer to provide for scalability and flexibility of being able to create applications relatively quickly

Security - Agip Kazakhstan North
Words: 14948 Length: 35 Document Type: Term Paper

They need to know what their responsibilities are not only as individuals but also as team members and corporate employees. David cites an excerpt from a corporate security document that illustrates his point: "A security policy serves many functions. It is a central document that describes in detail acceptable network activity and penalties for misuse. A security policy also provides a forum for identifying and clarifying security goals and

Security Self-Assessment Coyote Systems Security
Words: 2030 Length: 7 Document Type: Thesis

The management control area of authorize processing including certification and accreditation has been defined within Coyote Systems through the use of roles-based logins and access privileges and the use of certification of role-based access to ensure security. The company has found that through the use of role-based security authentication and the defining of rights by role, the certification and accreditation audits are far more efficient in being completed, and provide

Security Policy of a Dental
Words: 1254 Length: 3 Document Type: Term Paper

SECURITY and PRIVACY - the following security and privacy requirements apply: The Office does not accept responsibility for the privacy, confidentiality or security of data or information not generated by this office or transmitted from external sources into the system. The Office does not accept responsibility for loss, corruption, misdirection or delays in transmission of personal data through the system. Users are responsible for the integrity of all data and

Security Issues Creating a Site
Words: 4754 Length: 17 Document Type: Research Proposal

Even though there is always some form of a risk involved in the coding technique together with the deployment methods of a website, some technologies such as PHP and MySQL form some of the worst aggravators of online website security. The loopholes that exists in the use of these technologies results in some of the worst hack attacks and security breaches ever experienced in the field of web design. The

Sign Up for Unlimited Study Help

Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.

Get Started Now