Home > Government/Industries > Financial Services

Computerworld - Rising concerns about privacy mean that the security of sensitive information such as medical and financial data and information about children is coming under tighter scrutiny these days. And this is forcing IT managers to turn their attention to the richest repositories of such data: their data warehouses.

But for many businesses, just defining the roles and purposes of those staffers accessing such data can be daunting. Consider that a single hospital admittance could result in a patient's records being viewed by more than 150 people, both inside and outside the hospital, according to a study by Predictive Systems Inc., a New York-based technology consulting firm.

Fortunately, data warehouse software and the applications that serve such warehouses are relatively mature. Database software can define access down to the object level. And tools to automate user account management are particularly helpful in large user environments.

If Your Warehouse Is Outsourced Data Warehouse Defined Guarding the data warehouse gate Related links: Data Management Vendors Encryption Vendors Privacy Automation Vendors

The first step in data warehouse security is defining what data needs protecting, which can be more difficult than it sounds, according to IT managers.

Key Audit Questions What type of data is personal and sensitive in nature? Where is that data stored? Who's looking at the data? Which employees in which roles need to see sensitive data to do their jobs? Do access controls limit the viewing of sensitive information to only those people with a need to know in order to do their jobs? How is data protected from crackers?

"[Legislation] talks in general terms about what data needs protecting and provides little of what kind of data and what kind of protection that data needs," says Mike Hager, vice president of network security and disaster recovery at New York-based Oppenheimer Funds Inc., a wholly owned subsidiary of Massachusetts Mutual Insurance Corp. in Springfield, Mass.

The key to passing all forms of regulatory muster is defining "personally identifiable information" and then limiting access to that information to only those with a need to know.

For example, you don't want a statistician mining for demographics on sexually transmitted diseases to also have access to the names and addresses of individual patients with such diseases. Access rights to this type of data must be fine-grained enough that a statistician can only gather broader demographics like age, sex or region.

And that means defining user roles, says Hager. "The real key here is being able to define who has access to what. Without a role-based security model, there is no way of accomplishing this," he says.