Database Security Plan and Requirements Definition for Research Paper

Download this Research Paper in word format (.doc)

Note: Sample below may appear distorted but all corresponding word document files contain proper formatting

Excerpt from Research Paper:

Database Security Plan and Requirements Definition for a University Department

The database security plan and requirements definition were developed. The plan included, at the outset, the inclusion of major stakeholder at the University and described their roles in initiating, implementing, and maintaining the plan. Individuals responsible for daily and other periodic tasks were developed. A major consideration in planning the security was the policy that governs granting of access. The need-to-know, combined with the users' roles provided the guiding principles. Physical security, backing up of data and the periodic exercise of restoring data were not overlooked in the plan. Plans were set in place to ensure that attention was paid to the dynamic nature of the document since the security environment must continually change in order to discourage system attackers and to keep pace with the rapidly changing technology.

The Business Environment

We are an entrepreneurial business department in the faculty of engineering of a large accredited university. The entrepreneurial nature of this department derives from the newly established Internet-based Master's degree program that we were granted permission to launch. The staffing for this program includes four 'program directors', one 'assistant director', four 'full-time professors', one 'full time database administrator', one 'administrative assistant', and 'one clerical assistant' who handles admissions to the program. In addition, part-time instructors, part-time teaching assistants, part-time assistant data-base administrators are employed on a term-by term basis as the student-load dictates. Students must access printed and audio data, prepared by the instructors via the Internet and the specific website designed to accommodate their courses.


The objectives of this security plan are (1) to conform as much as possible to the sound recommendations by Marlene Theriault and William Heney (1998) in their description of the development of an Oracle Database security plan, in Chapter seven, (2) to provide confidentiality, integrity and accessibility for the students' data in the database, for the instructors' lecture and examination documents also. The definitions of these terms are as outlined as follows (Ferrari, 2010)

Data secrecy or confidentiality prevents improper or unauthorized 'read' operations on the managed data. When data are related to personal information, the term privacy is used. However, it is important to note that protecting privacy requires some additional countermeasures with respect to those employed to ensure data confidentiality. Data integrity signifies protecting data from unauthorized or improper modifications or deletions.

Data availability signifies prevention and recovery from hardware and software errors due to malicious data can make the data or some of their portions unavailable to unauthorized users. These causes will be eliminated.

Network and Systems

The systems in use in the department are as follows:

1. Desktop computers and laptop computers are available for all professors and administrative staff.

2. Printers available for personal use by all staff in their individual offices.

3. A printer-fax combination for general use

4. A server, type Microsoft Windows linked by Ethernet cables

5. Database, Oracle 11g Enterprise Edition.

Part 1

1. The database security management will be the responsibility of a team led by the database administrator. Other members of the team include the program director, a senior database administrator form the Information Systems Department of the university, one instructor, and me as the chief security officer. The team approach in developing the security plan is recommended by Bond, Yeung-Kuen, Wong Chan (2007).

The team will meet weekly to discuss how to improve the security plan and to assess risk levels. The team will review the plan quarterly and make revisions as necessary in the light of new technology and changes in any regulations at the university or government level. The database security management will be the responsibility of the database administrator.

2. When a security breach is discovered, the administrator will make all attempts to trace the source of the breach using the 'Database Auditing and Intrusion Detection System'. The breach should be reported to the head of the Information Systems Department of the University. If individuals internal to the University are the cause of the breach, then a review of the Circumstance will be made and appropriate reprimands, or more severe punishment will be dealt according to the findings (Bond, Yeung-Kuen, Wong Chan, 2007).

3. The database administrator will be responsible for daily administration of the security policies, including the creation of access according to principle of "need-to-know" or sometimes referred as Separation of Duty. The separation of duty as a requirement such that "each set of user be assigned a specific set of responsibilities and only be permitted to execute transactions required to fulfil those responsibilities" (Haigh, 1987, p.30).

The database administrator will also be responsible for administering and managing the World Wide Web.

Part 2 Architecture and Operating System

Client servers, web servers and application servers will be used in this operation. Security plug-ins will be installed on the servers. Server-side authentication security plug-ins and client-side authentication plug-in will be used. The plug-ins perform authentication on the database server when a user requests to be connected to a database. Authentication determines if the credentials of ID and password are authorized to enter the database. The use of plug-ins provides flexibility and customizability that are usually not available on the standard facility of the operating system (Bustamante, 2008).

Since data will be transmitted to students and by students over the World Wide Web the integrity and security of the data will be maintained by the use of encryption by Oracle Web Service Manager (Bustamante, 2008).

The database in this operation is classified into two categories based on the sensitivity of the data. One category includes critical data relating to students' personal information will be encrypted. The sensitive data that will be encrypted are:

Names, credit card numbers, date of birth, social security numbers, and actions taken on personnel.

Another less critical classification relates to other data such as instructional material but these need not be encrypted. These data will be protected by access controls (Haigh, 1987).

Part 3 User Accounts and Password Administration

The database administrator will be responsible for creating all user accounts including access to accounts on the Web servers by students for their specific courses. These types of access are time sensitive and so they will expire at the end of each school term. At the beginning of each term, the student list will be reviewed by the admissions clerks and the program director to determine which students are eligible to access the Internet classroom. This list is passed to the database administrator who creates the user accounts.

ID and password structures are standardized. The ID will consist of the students' first name initial and last name up to a total of eight letters. Numbers will be used to differentiate when two IDs are identical. Accounts for the instructors and clerical staff will be created by the database administrator. Passwords will be eight digits consisting of alphabet and numbers. Account for the database administrator will be created by the senior database administrator in the University's Information Systems department. These passwords are constructed by Information Systems department for the database administrator, are constructed using a different format from those used in our local department (Ferrari, 2010)

Profile is a set of characteristic that define the user. The current job title of the user must also form part of the characteristics of the user. Consequently those characteristics will also define the role that the user currently plays. It is the role that ultimately determines whether a user has access to certain sensitive sections of the database. As Ting explains (1987, 190), "The proposed user-role-based security model is intended to enhance the overall database security. The model assumes that the user identification and authentication have already been appropriately handled. The criteria for assignment of a profile to an account is based on the answer to the question, "Does the person occupying this role at this time need to know this information contained in this file?"

Part 4 Roles and Privileges

The security model will be a role-based security model. This is a model that will be applicable to this system since there is a web access component to this operation. According to Bustamante, "Role-based security is built on the premise that users are authenticated, which is the process of identifying the user. Once identified, the user can be authorized or, assigned roles and permissions" (Bustamante, 2008, p21).

Bustamate also notes that this model is suited for Web-based applications. In my system under consideration, there is a heavy Web-based application where instructors post notes on the Web to be accessed by students during a specific term.

Object privileges should be granted by the database administrator in consultation with the data security planning team members only after due diligence has been exercised. The object privileges include, 'SELECT, and INSERT, UPDATE, DELETE, and ALL PRIVILEGES'

Part 5 Data Security Operations

When failure occurs it is important that logs are available to provide recovery of the system. Complete logs must be available as the default. There should also be configured…[continue]

Cite This Research Paper:

"Database Security Plan And Requirements Definition For" (2012, February 06) Retrieved December 3, 2016, from

"Database Security Plan And Requirements Definition For" 06 February 2012. Web.3 December. 2016. <>

"Database Security Plan And Requirements Definition For", 06 February 2012, Accessed.3 December. 2016,

Other Documents Pertaining To This Topic

  • Database Security

    Database Security The focus of this study is that of database security. Databases and database technology are such that play critical roles in the use of computers whether it be in business, electronic commerce, engineering, medicine, genetics, law, education or other such entities requiring the use of computer technology. A database is quite simply a collection of data that is related such as a database containing customer information, supplier information, employee

  • Security Agip Kazakhstan North

    They need to know what their responsibilities are not only as individuals but also as team members and corporate employees. David cites an excerpt from a corporate security document that illustrates his point: "A security policy serves many functions. It is a central document that describes in detail acceptable network activity and penalties for misuse. A security policy also provides a forum for identifying and clarifying security goals and

  • Database Administration Today in Evaluating

    Design criteria exist at the levels of the technical, system integration aspects of the database to other systems through XML. This integration is critically important to ensure that the applications created can be effectively used over time and not have any scalability issues. There is also the need for designing the databases at the presentation layer to provide for scalability and flexibility of being able to create applications relatively quickly

  • Security Self Assessment Coyote Systems Security

    The management control area of authorize processing including certification and accreditation has been defined within Coyote Systems through the use of roles-based logins and access privileges and the use of certification of role-based access to ensure security. The company has found that through the use of role-based security authentication and the defining of rights by role, the certification and accreditation audits are far more efficient in being completed, and provide

  • Security Management Defining an Effective

    The reality is however that legacy systems pose the greatest potential risk to any enterprise, as these platforms are anachronistic in terms of security support, lack many common safeguards, and don't have the necessary Application Programmer Interfaces (APIs) to scale globally as a secured platform (Gupta, Roth, 2007). Legacy systems were designed in an era where single authentication for an entire enterprise system was sufficient enough, and the concept

  • Security Issues of Online Communities

    This researcher rejects the existence of online communities because computer mediated group discussions cannot possibly meet this definition. Weinreich's view is that anyone with even a basic knowledge of sociology understands that information exchange in no way constitutes a community. For a cyber-place with an associated computer mediated group to be labeled as a virtual settlement it is necessary for it to meet a minimum set of conditions. These are:

  • ERP and Information Security

    ERP and Information Security Introduction to ERP Even though the plans of information security include the prevention of outsiders to gain access of internal network still the risk from the outsiders still exists. The outsiders can also represent themselves as authorized users in order to cause damage to the transactions of the business systems. Therefore, strict prevention measures should be taken to avoid such situations. The threats of both the hackers have been

Read Full Research Paper
Copyright 2016 . All Rights Reserved