Is any security policy relevant to business intelligence or data warehousing?

Les Barbusinski's Answer: I'm unaware of any universal DW/BI security policy. Every company deals with its security issues in its own way. However, some security policy areas relevant to data warehouses and BI applications include the following:

• Classification of Data. Provide standards for identifying information that is sensitive or confidential in nature, and describe how data at various levels of confidentiality must be stored and/or handled. This includes identifying the types of data that must be encrypted, when it must be encrypted (i.e., in flat files, RDBMS data, during transmission, etc.), and how it must be encrypted/decrypted (i.e., type of algorithm, procedures for handling public/private "keys", etc.). Customer and employee identity information, financial data, military information, regulatory compliance data, and/or intellectual property represent some of the information categories that require special security consideration.
• Classification of Users. Provide standards for classifying users (often by role, function, or location), and delineate the kinds of information each role can view and/or manipulate.
• User Authentication. Provide a standard for authenticating users to DW/BI application systems. This includes standards for the format and content of user IDs and passwords, rules for authentication (i.e., limits on time of day when logins are permitted, limits on the number of times an incorrect password can be entered, etc.), frequency of mandatory password changes, user lockout and reinstatement procedures, "guest" login protocols, etc.
• Transaction Authorization. Provide a standard for how DW/BI applications must authorize individual transactions (e.g. generating a report, creating a new metric, exporting report data to Excel, viewing a specific "slice" of a cube, accessing a "Web service," downloading or uploading data from/to the DW, etc..).
• Session Management. Provide a standard for how sessions in the EDW portal or BI application must be managed. This would include establishing session timeout parameters, standards for handling session "cookies," etc.
• Data Storage. Provide a set of standards for how data in an EDW or BI application must be stored, backed up, and archived. This would include setting retention periods for various categories of data, limiting the type of storage that can be used for certain categories of data (e.g., prohibiting classified or confidential data from being stored on diskettes, flash-RAM sticks, laptop hard disks, etc.), setting minimal backup frequencies, limiting the types of data that can be stored outside the enterprise "firewall," etc.
• Data Transmission. Provide standards for how DW/BI information can be transmitted. This includes specifying how files are to be transmitted from/to the EDW (e.g., Secure FTP, Secure MOM, SSL data imports/exports, etc.), specifying the circumstances under which data can be downloaded from internet FTP sites, etc.

Hope this helps.