The data that many organizations hold within the confines of their information technology systems is their most valuable asset. This holds especially true for financial services, banks, and insurance verticals. So far, this chapter has focused on the value of metadata repositories within the enterprise. To build upon this concept, we now focus on the data security architecture that should, ideally, extend the information contained with the repository. Many large enterprises have groups of employees who are responsible for IT security. Some have even gone as far as creating a chief security officer position. Even with a large staff, organizations still experience breaches and lack any resources that allow them to quickly identify the impact of any attack. The existence of a metadata repository will also allow security personnel to identify and classify threats related to the following:
Information theft can have a drastic impact on an enterprise violation of privacy and security regulations, on litigation, and mostly on damage to an organization's brand. Information theft at a minimum results in information being copied. In the wake of September 11, it is clear that this breach could also have an effect on national security. In many situations, it may also result in the destruction of data used to make critical decisions. This will result in a loss of productivity, as this information will need to be reproduced. Malicious modification of data can sometimes be even more detrimental than either the theft and/or destruction of information since it could result in less-than-optimal decisions based on erroneous data. Unauthorized modification, especially if undetected, can compromise projects that depend on the integrity of information. Many organizations may expose this data to external systems or present this information on publicly viewable Web sites. Imagine if Canaxia's Web site were changed so that all its cars' names were altered to those of competitors' cars or if recall information were changed about defective tires on their sport utility vehicles. This threat category can also include nonmalicious, well-intentioned changes in data that can have the same effect. Nevertheless, the insecure actions of even trusted employees can compromise the security and integrity of valuable corporate information. The metadata repository should also classify the various functional environments and create security policies to prevent unauthorized access to information. This information can then be used as a specification for upstream systems that leverage this data and can provide valuable input into an organization's compliance process. Canaxia has established data security policies and classified all data into five categories, as listed in Table 11-3.
|