The scope of data security includes defining data security policies and frameworks for both building and managing data assets within a company. The data security officer should enforce compliance to data security policies and frameworks within the company on an ongoing basis.
Security policies for enterprise data should be aligned to the overall IT security policies of the enterprise. The policies should be defined for each architectural component within the enterprise data architecture. The policies should be based on various security related compliances, specifically related to personal identifiable data, confidential data, private data etc. The policies should highlight requirements related to authorization, masking, audits and reporting.
Security framework for building data assets
For building the various data assets, a data security framework for project specific roles should be defined, and access definitions should be created for each activity based on the roles.
The access definitions should elaborate the type of access, the levels of access, the systems and data elements to which access needs to be provided, the duration for which the access should be provided, and the details of access for each build environments.
Security framework for managing data assets
For managing the enterprise data assets, data security framework should be defined in line with the data governance framework. The framework should define various roles and privileges associated with ownership and stewardship of data.
The framework should also include various business user roles, and mapping principles of the roles to the data elements, based on business requirements and security, confidentiality and privacy considerations.
The framework should specify the methods to perform data backups, data recovery, security audits, data masking and encryptions, authorizations and usage reports.