Reasonable-man test for data privacy

Meta Group reports that it has seen a jump in the number of inquires related to database security and compliance throughout 2004. It looks like most large organizations are confused over how to react to the tidal wave of regulation that has given them a sense of urgency to drop everything and tackle data privacy.But most are clueless with how to apply the appropriate security controls when faced with a myriad of databases containing sensitive customer data. Data privacy requirements are open to wide interpretation to how personal data is handled, and meetingtoday's stringent requirements is unreasonable says Meta; "No reasonable individual with knowledge of IT infrastructure and process would possibly hold an organization up to such a standard at this time, or even until the end of this decade." Instead,Meta recommends that governments cut organizations some slack and apply a "reasonable-person" test to checkifthey're at least moving toward achieving the spirit of many of these regulations. Below are Meta's"reasonable" steps you can taketoaddress database security:

1. Establish and document a set of security controls that address and mitigate specific identified risks.
2. Consider the layers of security controls available.
3. Encryptthe data within the database (will become a reasonable step to take during the next three years).
4. Use intrusion or user-behavior detection for more sensitive industries (e.g., financial services).
5. Considerhow data privacy regulations might impact what you may want to do with that customer data in the future.

Among the best ways to check if your organization is doing everything it could reasonably be asked of it is to compare the efforts of peer enterprises and to leverage professional organizations and trade journals, says Meta. If you're already considering database encryption a white paper from RSA security can help you formulate a strategy.