The Path to Healthy Data Governance through Data Security




The appropriate handling of an organization’s data is critically dependent on a number of factors, including data quality, which I covered in one of my earlier posts this year. Another important aspect of data governance regards the managing of data from a security perspective. Now more than ever, securing information is crucial for any organization. This article is devoted to providing insight and outlining the steps that will put you on the path to achieving what I’d like to refer to as “information security governance.”

 


Information Security and Privacy
According to a 2008 paper from the National Association of State Chief Information Officers (NASCIO) data governance is:

the operating discipline for managing data and information as a key enterprise asset.

This means that information as a key asset for an organization has to be treated with the necessary care to keep it safe and secure. But what does information security actually mean?

The importance of taking the necessary measures to maintain data or information safety and privacy as needed is obvious to most people. What isn’t obvious is how to achieve this, as information security requires a conscientious and committed initiative. Let’s take a look at some of the factors for achieving information security.

What Is Data/Information Security?
According to the U.S National Information Systems Security Glossary, information security refers to:

the protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.

So then, I see the following four elements as essential to an information security perspective:

  • Availability. Ensuring the right data is available to the right people.
  • Confidentiality. Maintaining data secure from undesired internal and external exposure.
  • Integrity. Maintaining the accuracy and validity of data at all times.
  • Security. Ensuring data is safe from internal and external threats.

Striking the right balance between availability and confidentiality is important. An organization needs to keep information safe from undesired exposure, but at the same time, ensure that information is available to the right user.

Why Is Data Security Important?
Data is a valuable asset to an organization—for both corporate and individual purposes. And having the proper methods to maintain information secure at all times can have huge impact on the organization’s well being. This is particularly relevant when dealing with personally identifiable information (PII) as well as sensitive corporate data.

From a corporate perspective, there are three main drivers for ensuring data security becomes a core component of any data governance initiative:

And organizations can reap numerous benefits from having an information security governance initiative in place:

  • Effective and auditable compliance with proper data security regulations.
  • Effective data security risk assessment and effective response to data security issue resolution.
  • Proper accountability for all data security–related activities.
  • Operational cost reduction by mitigating data security risks and reducing the number of actual issues to be resolved (unauthorized access, undesired data leaks), and ensuring smooth operations, thus decreasing the number of privacy and data security violations.

This in turn will enhance internal and external user confidence on secure data handling by the organization.

Of course, implementing an information security governance initiative as part of a larger data governance program will afford organizations many more drivers and benefits, such as fewer disruptions to their operations due to security issues.

The Challenges of Having an Inadequate Data Security Approach
On the other hand, not having a data security governance initiative in place or operating with an inadequate one can lead to the following major disadvantages:

  • Data vulnerability to internal and external threats, both malicious and nonmalicious.
  • Increased likelihood of data leaks due to weak data protection policies.
  • Conflicts between access rights and data security measures and policies.
  • Inability to perform accurate data security risk management.

Data Security Risks and Issues
Now, from a risk management perspective, I think that within any information security governance initiative there are risks and issues associated with the security and privacy of data:

  • Data security risks. These are potential actions or activities that can lead to loss, violation, misuse, or unauthorized divulging of sensitive data. If not addressed, this can become an issue.
  • Data security issue. This is an action that leads to a loss, violation, misuse, or unauthorized exposure of sensitive information.

So as part of a global data governance initiative, an information security governance program has much to do with ensuring that risks associated with data security are addressed before they can escalate to major information security issues—and compromise organizational health.

An Approach for a Healthier Information Security Governance
To mitigate risks and avoid attendant issues or minimize their effects, a supporting framework that consists of these six common elements is required:

  • A data security organizational structure
  • A data security organizational strategy
  • Policies that define each aspect of regulation, control, and strategy
  • Security standards based on the previous policies and for compliance
  • A data security risk assessment model
  • The necessary process(es) to ensure the proper execution, control, and monitoring of all elements (policies, standards, risks and issues).

Putting these elements in place will lead you down the path toward achieving a healthy data security governance initiative.

We all know that more often than not, there is more than way to solve a problem. The same holds true for issues for an information security governance initiative. Whether we are talking about COBIT (framework for IT governance and control) or FISMA (Federal Information Security Management Act of 2002), and regardless of the approach to issue resolution, there are some core points to consider when starting this type of initiative:

  • Data is a business driver.
  • Data is a dynamic—not static—element of your organization as it moves in, out, and across your company.
  • Data can have various forms—structured, unstructured, or semistructured.
  • Data can be seen from both technical and business perspectives.
  • Data can be seen from a user-centric perspective—to promote awareness of data security across your organization.

Now let’s look at some guidelines you should consider when launching an information security governance program and a general plan to follow from an information security perspective:

  • Identify and define.

    • Identify. The first step in this process involves scoping the initiative in order to focus on the most relevant and critical issues to be solved, otherwise you risk not delivering effective results. The identification process can potentially help you define the potential use case (i.e., initial objective) and initial scope of your strategy. You need to ask yourself some questions: What are the more relevant risks or critical issues regarding your information security? If you already have an ongoing data governance program, do you need to modify your ongoing initiative to meet this new requirement? Divide the issues according to your priorities and then work to conquer them.
    • Define. Once you have identified your use case, you should define the scope, goal(s), and key stakeholders, as well as their roles and responsibilities. Carry on an initial evaluation to gather your organization’s current information security status. Identify (discover) and define your sensitive data and where it is located. Once you have gathered all the facts, develop your solution plan or framework. To this end, you need to define a risk assessment strategy and a new information security infrastructure.

  • Develop and perform.
    • Develop. The next step is to develop information security policies based on your requirements, as well as a collaboration and information strategy for the stakeholders and users. Furthermore, you need to establish a communication strategy to promote awareness of information security throughout the organization. And finally, you need to define valuable metrics to measure the results. As this is an ongoing and continuously evolving process, you have the opportunity to see what works and discover areas for improvement.

    • Deploy. Set up your new information security infrastructure. To achieve this, you need to put your policies to work, deploy the necessary processes to implement them, deploy your monitoring tools (metrics, key performance indicators [KPIs] etc.), and educate users on the new policies and regulations.

  • Monitor and maintain.
    • Monitor. Once your information security infrastructure is in place, perform routine monitoring of the process and make necessary modifications and adjustments based on the results.
    • Maintain. Finally, conduct periodic internal and external audits as well as frequent risk assessments after each modification.

What should you expect from an information security governance program?
Below are some general advantages associated to launching a successful information security governance initiative:

  • A reliable data risk assessment model—reducing the number and severity of information security issues
  • A reliable and agile model for attending to and resolving any issues that arise
  • Increased transparency and awareness of all information security elements (policies, standards, and service levels)
  • Enhanced compliance with regulations—making for easier audits
  • Improved monitoring capabilities of results and improvements

 

Information Security Self-assessment
Finally, please take a minute to undergo the following self-assessment exercise regarding your organization’s information security infrastructure (check off the box that applies). You may discover you already have a fair number of elements in place to proceed with your information security governance initiative. Those elements that your organization does not fully support or somewhat supports require attention to address issues and remove obstacles—so that you have all the necessary elements in place to successfully launch your information security governance initiative.  

Information Security and Risk Management
Define your organization’s level of support for the following?

  1. A comprehensive data security framework for managing data access and sharing restrictions (password management, role and user access configuration, user profiles, etc.).


  2. Fully Support
    Somewhat Support
    Do Not Support

  3. A risk assessment model that includes evaluation of risks and vulnerabilities related to both intentional misuse of data by malicious individuals and/or inadvertent disclosure by authorized users.
  4.  

    Fully Support
    Somewhat Support
    Do Not Support

  5. A well-developed plan to mitigate the risks associated with intentional and inadvertent information breaches.


  6. Fully Support
    Somewhat Support
    Do Not Support

  7. Regular monitoring or auditing of information security compliance with standards, policies, and regulations.


  8. Fully Support
    Somewhat Support
    Do Not Support

  9. Established policies and procedures in place to ensure the continuity of data services in an event of an information breach, loss, or other disaster (including a disaster recovery plan).


  10. Fully Support
    Somewhat Support
    Do Not Support

  11. Established policies in place to guide decisions about information exchanges and reporting, including data sharing with external instances (organizations, government) and/or customers.


  12. Fully Support
    Somewhat Support
    Do Not Support

  13. Established procedures in place for sharing data to ensure PII remains confidential and protected against undesired disclosure.


  14. Fully Support
    Somewhat Support
    Do Not Support

  15. Procedures (such as cell and text suppression) in place to ensure no PII is publicly disclosed within public reports.
  16. Fully Support
    Somewhat Support
    Do Not Support


  17. All data use within reporting practices remains in compliance with applicable local, regional, federal, and/or international privacy laws and regulations.


  18. Fully Support
    Somewhat Support
    Do Not Support

  19. Stakeholders and users are regularly informed about their rights under applicable federal and state laws governing data privacy.


  20. Fully Support
    Somewhat Support
    Do Not Support


Information Access and Privacy
Define your organization’s level of support for the following?

  1. Established policies and procedures in place to restrict and monitor staff data access, limiting what type of data can be accessed by whom. This includes different levels of access based on roles and groups.


  2. Fully Support
    Somewhat Support
    Do Not Support

  3. Established internal controls in place to manage data access. This may include confidentiality agreements, education and training, security screenings and auditing for all staff, including users with privileged access to PII.


  4. Fully Support
    Somewhat Support
    Do Not Support

  5. Established policies and procedures in place to restrict and monitor data access of authorized users to ensure that access to data meets the conditions and is consistent with those outlined in the information governance plan or information security program.


  6. Fully Support
    Somewhat Support
    Do Not Support

  7. Policies and procedures in place to ensure that all complementary environments to production (such as testing and quality control) comply with the use of masked data to ensure that no unwanted disclosure of PII occurs during testing and quality assurance procedures.


  8. Fully Support
    Somewhat Support
    Do Not Support

           
          comments powered by Disqus