Database Management: Law, Ethics and Security

Database Management: Law, Ethics and Security Law, Ethics, and Security Standards: Relevant legal and ethical standards need to be considered in the solution design and in future implementation. (SNHU.) A combination of issues have introduced strong ethical concerns in database design: increase in size of data, increased sophistication in mechanisms and convenience of access systems, increased invisibility (through absorption into the application and/or the user interface), increase in circulation and excessive, globalized sharing of information, increased interaction with other databases and applications, increased amounts of personal information, increased merchandising of information and poor or lacking security for database owners. (Goguen.) Additionally, the risks have been augmented by new technologies: open source database management systems; cloud computing and social software applications. With the combined three, the only defense against the unethical use of information is the ethical standards of the stakeholders themselves. (DeMers.) Ethics is a set of principles of right conduct or a theory or a system of moral values. In a civilized society, morality and ethics guide and precede the law. There are no legal laws to govern how individuals morally behave. Nevertheless, legal and ethical guides/rules must be applied to protect the information collected in databases. Limit access of data or prevent inappropriate access to all or part of a data set. Maximize the skills required in learning/using the existing system data. Implement total data transparency, i.e., include features that convey to the end user the feeling like he/she is the databases only user, or hide all the added complexities of distribution, making users assume that they are working with a single centralized system. Include the concept of voluntary informed consent. Address data protection issues and security concerns. Ensure that copyrights are protected. Observe copyright laws (avoid any usage of materials/information without prior and proper consent). When expanding globally, learn and observe applicable regional and/or international laws. Protect IP (Intellectual Property) and IPR (Intellectual Property Rights). Do not infringe upon the intellectual property or patents of others. Keep detailed records of everything (research materials, database rules, etc.) not only for future references but to protect against possible accusations/allegations of impropriety or misconduct). Legal Compliance: The best practices in design, data use, and storage to ensure legal compliance must be implemented. (SNHU.) Certain principles or practices address the increasing complexity of data usage, processing and storage at all levels and stages of a business as well as the associated consequences and effects. By adopting these principles, companies can help ensure that privacy and information security become an essential component of its technologies and business practices from the outset. Understand the business model and rules, specifically, how the enterprise will interact with its customers at every step of the way. Implement appropriate information security policies or build technical reinforcements as to how client information is maintained, stored, collected, used and shared. This will help identify and avert potential privacy issue concerns and risks. Protect cardholder data (including bank and credit card accounts, social security, etc.). Encrypt transmission of cardholder data (to safeguard the data in the event it falls into the wrong hands). Protect stakeholder information (including email addresses, telephone numbers to protect them against spamming, phishing and/or unwanted robocalling). Keep abreast of legal developments and regulations concerning privacy and information security. Seek legal advice as required. Keep data completely anonymous (within and outside the organization). Acquire the users consent before obtaining any personal and sensitive information. Ethical Practices: The best practices in design, data use, and storage can be implemented to ensure the ethical operation of the company. (SNHU.) Following and applying ethical and moral obligations will ensure the trust and confidence of users and customers. The protection of these stakeholders should be the primary concern of any business enterprise. Respect the privacy of users. Never share or pass on a customers personal information to any other person or party without first informing the customer and obtaining his/her consent. Reduce the efforts of repeated and unnecessary collection of data on the user. Be willing to provide customers access to any stored information that the system has on them. Allow users the right to have this information modified or deleted if inaccurate or illegally collected. Be prepared to inform customers the reasons that the enterprise is collecting, storing and using personal information. Ensure safe/secure storage and disposal of customer information. Be prepared to provide a customer with any request for the return, transfer, or destruction of the data. (Yeung.) Choose the appropriate and suitable database model for the company. Use the data appropriately (i.e., do not misuse or sell it for profit or otherwise). Immediately disclose security breaches to stakeholders, the local State Attorney General, Data Protection Supervisory Authority, and any other government agencies. Ensure stakeholders continued access to their information. Ensure data integrity to discourage against data tampering. Hire trustworthy, reliable and experienced staff. Perform background checks if necessary. Security Needs of Solution: In consideration of the type of organization selected, the data used, and consideration of legal and ethical standards, the security needs of your DBMS solution are required. (SNHU.) The group/department for which the enterprise data model was constructed relates to customer sales. Like most enterprises, the success of Vinces Vinyl relies upon customer satisfaction. Therefore, customer data must be protected and kept secure at all cost. Maintain, guard and protect the privacy of customers/users. Monitor and keep user data current (e.g., ensure that the credit cards on file have not expired). Keep data secure and confidential. Document data (explain how it was created or digitized, what it contains, including its structure and any data manipulations). This will ensure data preservation and continuation. Ensure adequate information security (e.g., personal data, financial data, customer purchases, transactions and references). Devote time and attention to security matters. Be aware of obvious vulnerabilities to the database management system. Fortify perimeter security and defenses such as firewalls and intrusion detection systems/intrusion prevention systems (IDS/IPS). Think primarily of security in every step of the way.ÂÂ   Perform regular and deep database vulnerability scans and assessments. Apply restrictions when granting users access to the database and review the access privileges periodically. Encrypt sensitive data. Be sure to manage the encryption/decryption keys, and change them regularly. Periodically monitor and audit user authentication. (AscentTech.com.) Database Security Plan: A comprehensive but high-level security management plan for the design that will align to organizational needs should be implemented. (SNHU.) In addition to the security required to safeguard the customers, Vinces Vinyl should establish certain security practices. This will not only guard against infringement of privacy issues but also against malicious attacks and security breaches such as identity theft. Such data must be protected from unauthorized access and malicious attacks (e.g., Trojan, virus, worms, malware, adware, spyware, DDoS). Of special concern is SQL injection, which does not infect the end users directly. Instead it infects a website, allowing the attacker to gain unauthorized access to the database and the ability to retrieve all the valuable information stored in the database. Only allow and accept the creation of strong usernames and passwords. When systems/applications come with built-in default usernames and passwords (which have been created for easy set up), the log-on information should be erased and replaced as soon as possible. Periodically review the database configuration and delete any unnecessary or unused components since certain database vulnerabilities exploit add-ons and extensions. Avoid creating complex systems. Simplify or only install components that are necessary. Keep the OS, browser(s), software, and hardware current. Apply the necessary updates and security patches. Apply secure coding practices. Frequently monitor and audit the database to determine vulnerabilities, monitor, and audit again. Use available, inexpensive tools to deploy monitoring and auditing automatically. Some tools include prevention capabilities. Protect not only the data but the servers on which they reside. Keep computers and devices physically inaccessible to unauthorized users. Apply strong passwords and usernames. Maintain strict business procedures, e.g., assign individuals specific roles that they should be accountable for (e.g., backing up data, generating reports, verifying data integrity). Implement proper authorization to allow individuals the ability to see only the data that they are authorized to access. Maintain a secure storage of sensitive data (e.g., use strong passwords, install firewalls, intrusion prevention and intrusion detection systems). Properly authenticate users (i.e., make sure that a person is who he/she claims to be and is not an impostor). Apply granular access control and determine how much data an authorized user should be allowed to see. Isolate portions of the database to prevent unlimited access. For example, while a user might be allowed access to his/her personal data, he/she must not be allowed to view/access other users data. Maintain regular backups or data movement onto disk, tape, or stored at third-party sites which are also secured and tracked. Encrypt backups to prevent unauthorized viewing or access. Keep the backups current to enable recovery should the need arise. Implement a documented disaster recovery plan to minimize time loss which could impact the business. Apply integrity constraints by maintaining valid and current information. Enforce encryption to incoming and outgoing data. Record and verify database log reports, histories, changes, etc. Keep everything well documented. Train the personnel and make sure that everyone understands and has a grasp of both desktop and cloud database security. Implement strict safety procedures for everyone to follow on a regular basis. References 28 Types of Computer Security Threats and Risks. (n.d.). Retrieved on March 16, 2017 from http://www.itscolumn.com/2012/03/28-types-of-computer-security-threats-and-risks/ Business Rules: Informal Predicates. (n.d.). Retrieved on March 3, 2017 from http://www.databasedesign-resource.com/business-rules.html Conger, S. (2014). Hands-On Database, 2nd Edition. [MBS Direct]. Retrieved from https://mbsdirect.vitalsource.com/#/books/9780133927078/ Compliance by Design. (n.d.). Retrieved on March 16, 2017 from https://www.itlawgroup.com/resources/articles/76-compliance-by-design Database Study Guide. (n.d.). Retrieved on March 16, 2017 from https://ethics.csc.ncsu.edu/privacy/database/study.php Data Security Challenges. (n.d.). Retrieved on March 16, 2017 from https://docs.oracle.com/cd/B10501_01/network.920/a96582/overview.htm De Mers, B.A. (November 20, 2014). On Ethical Issues Surrounding the Planning and Designing of Databases. Retrieved on March 16, 2017 from https://www.linkedin.com/pulse/20141120200923-338627392-on-ethical-issues-surrounding-the-planning-and-designing-of-databases Enterprise Data Model. (October 28, 2009). Retrieved on March 3, 2017 from http://www.learn.geekinterview.com/it/data-modeling/enterprise-data-model.html Enterprise Data Model. (n.d.). Retrieved on March 3, 2017 from https://www.techopedia.com/definition/30596/enterprise-data-model Goguen, J.A. (December 6, 1999). The Ethics of Databases. Retrieved on March 16, 2017 from https://cseweb.ucsd.edu/~goguen/papers/4s/4s.html#B-S98 Hernandez, M. J. (2013). Database Design for Mere Mortals: A Hands-On Guide to Relational Database Design, 3rd Edition. [MBS Direct]. Retrieved from https://mbsdirect.vitalsource.com/#/books/9780133122275/SNHU (2016). Modeling Business Rules. (n.d.). Retrieved on March 3, 2017 from http://www.sparxsystems.com/enterprise_architect_user_guide/10/domain_based_models/modeling_business_rules.html IT 650 Milestone Four Rubric.ÂÂ   (n.d.). Retrieved on January 20, 2017 from https://bb.snhu.edu/bbcswebdav/pid-14554096-dt-content-rid-41947794_1/courses/IT-650-17TW3-MASTER/IT-650%20Student%20Documents/IT%20650%20Milestone%20Four%20Rubric.pdf Kandle, N. (July 1, 2005). The Enterprise Data Model. Retrieved on March 3, 2017 from http://tdan.com/the-enterprise-data-model/5205 Regulatory Compliance and Database Management. (March 2006). Retrieved on March 16, 2017 from http://www.sandhillconsultants.com/whitepapers/regulatory_compliance_and_database_management_whitepaper.pdf What Are Business Rules? (n.d.). Retrieved on March 3, 2017 from http://etutorials.org/SQL/Database+design+for+mere+mortals/Part+II+The+Design+Process/Chapter+11.+Business+Rules/What+Are+Business+Rules/ Yeung, C. (September 5, 2012). What privacy issues are involved in building a marketing database? Retrieved on March 16, 2017 from http://www.startupsmart.com.au/mentor/what-privacy-issues-are-involved-in-building-a-marketing-database/