Data security

Data security generally means that the object to be protected—in this case, research data—is adequately protected against risks related to  confidentiality, integrity and availability. In some  cases, attention should also be given to risks related to privacy issues and to non-repudiation.

Because data security and other forms of security, such as physical and personel security, are closely inter-related, the various areas of security should be assessed from a holistic point of view.

Risks can involve incidents  or damages that may be caused by an event, action or inaction. A risk can be seen  as an negative impact  multiplied with a probability of the event. During risk assessment the likelyhood of  a risk can be defined based on previous experience. The impact of a risk depends very much on the nature of the object being protected. Although risks can be the result of intentional malicious action, they can also be caused by damages and errors, the latter of which are typical in data processing.  

Attempted system intrusions are very common events, whereas the complete destruction of a data centre happens very seldom. If research data is easily regenerated, the impact of its destruction is insignificant.

Data confidentiality means that only authorised and entitled persons may access, modify or delete the data. If the data is public, there is no need to restrict read access. In other cases, the data should be classified according to the level of access. The Finnish Government uses a system of classification based on a special decree (VnA 682/2010). Outside the Government, data can be classified more freely, such as into the categories public, restricted, internal, confidential or secret. The owner of the data should decide on how the data is to be classified and who should be given the right to process it.

Data integrity means that data may only be altered by persons entitled to do so. Integrity also means that data is internally intact, i.e. it has not been, for example, corrupted by errors.

Data accessibility means that the data may be accessed and used by entitled persons, as agreed. Excessively strict access rights may lead to a situation where the data is not accessible.

In some cases, it is crucial that the data is indisputable. In these cases, it must be possible to show that the data is in its original form and has not been intentionally or accidentally altered.

The purpose of data security is to ensure privacy protection, so that no personal data will be processed or revealed without proper consent. The use of personal data is regulated by, among others, the Personal Data Act (523/1999). The goals of data security (confidentiality, integrity, accessibility) are ensured by protecting data from risks, using special security controls. These security controls may be, for example, technical controls, controls related to agreements and legal controls. However, in many cases, controls are costly to implement and can interfere with the accessibility of data. In addition to this, they do not necessarily eliminate risks entirely - they may only reduce the risks, bringing them to a more manageable level. It is not sensible or even possible to safeguard against all risks.

The table lists common risks associated with data management and the security controls for them.

Risk

Security control

Loss of data due to fault or error

Backup copying, version management

Confidential data leaked to the Internet

Access management, user rights, data encryption, non-disclosure agreements

Data corruption

Checksums, backup copying, version management, integrity checks

Data not available

Service level agreements, backup copies, reliable service providers

Researcher held liable for misuse of personal data

Agreements, access management, data encryption

Systems administrators abuse data

Agreements, data security certificates

System compromise or intrusion

Workstation, network and server encryption, strong passwords and other user identification controls

Malware

System protection, reliable systems

Spying

System protection, reliable systems

Legal liability for violation of agreements or laws

Ensuring compliance with agreements and legislation, liability insurance

Loss of data

Ensuring long-term preservation

Data not found

Use of metadata, reliable service providers

 

When a research group or individual researcher is considering data protection, they should start off systematically and sensibly. Approaching security based on rumours seldom brings positive results - a reasonable handling of the fundamentals is often far more important.

Ensuring security should begin by identifying data security factors and security classification. Is the data public in nature or should its use be restricted? As a rule, any ability to alter data should require special permissions. Data that is altered anonymously is seldom reliable, at least in cases where there is no oversight of the alterations.  Data integrity and availability requirements should also be considered.

Risks and security controls should be logged and thought should be given to how protective measures are implemented and by whom. In many cases, the best course of action is to outsource technical routines, whenever possible. This allows data owners to shift the risk away from themselves.

Sources and additional information:

News on data security risks:

Government data security guidelines:

The Standard of Good Practice for Information Security