Greetings, loyal readers—and first-time blog visitors, too! This is our once-monthly blog column covering the key aspects of protecting your company and its data from the bad cyber actors out there (and by bad cyber actors, I mean hackers and other cybercriminals, not a digital copy of Tommy Wiseau’s The Room).
This time around, we’re going to talk about data governance, and what it means to truly manage your data and the people who interact with it.
What is data governance?
When we talk about data governance, we’re diving into a subset of data management, which itself is a broader topic that covers not only digital data but also paper files, presentations, even open discussion which can be subject to certain requirements. It’s beyond the scope of this one article to cover that fully, so we’re going to stick to “data” in the usually-meant sense, the 1s and 0s moved from computer to computer that hackers, phishers, and malware makers are keen on accessing.
Data governance is, in a nutshell, about managing the usability, availability, and security of this data. When we say data governance is in place, we say that there are policies created and standards adhered to in an organization or department, and that there are adequate technologies in place to enforce both.
Policies are simply statements put together by senior management laying out expectations. They say: you have to do this, you can’t do that. “No shirt, no shoes, no service” is a policy we’ve all seen on restaurant doors, and though I imagine shirts and shoes are required in most IT departments, the data policies probably look a little different.
Policies on data governance often specify things like the need for encryption around certain pieces of data, impact assessments, and how often that policy would be reviewed and refreshed to account for changing digital environments and technological changes.
The next step in data governance, once we have policies laid out, are standards. These specify how things should be achieved to adhere to the policies. If encryption is required, what standard of encryption will be deemed acceptable?
Here is also where we see data handling expectations explicated, both how it’s digitally processed and physically handled. Digitally speaking, standards are concerned with how data is being captured, encrypted (i.e. make sure you’re using AES 256 if working with the U.S. government), and accessed or shared.
But data, or access to it, has ramifications in the physical space as well. If you write down a company credit card number on a piece of paper, what is the expectation for how you destroy it? Are you even able to write it down in the first place? Standards might also require approval from certain persons to print out specific data, and even then it might be a requirement to only move it in a certain way, like through an encrypted device.
Each data element also has a classification to it: public, confidential (for employees only), or protected (for very specific people only). What classification the data has will affect the standards it needs to adhere to.
Similarly, data users can also be classified, as owners, stewards, or custodians. The definition for data owners is self-explanatory, while stewards are the individuals who manage on the business side who should have access to what data and custodians are the people who actually process the data. Just as data classification affects access, so too can user classification; most of the time, custodians don’t need access to the data they don’t have to process, and stewards might need access to certain levels of data generally, but not granularly as they aren’t digging deep into them themselves.
Process and technology
Now that there are policies laid out, standards to adhere to, and classifications that put people and data under categories that they should be in, what are the processes for handling the data?
This is an incredibly complex and detailed question to answer, and the truth is it will look different for each organization. For one thing, a company’s appetite for risk, or aversion to it, will impact everything from the policies written down to the technology put in place. Things like backup layers and immutability will need to align with the standards above them. What’s backed up might be unable to be changed until certain requirements are met, to protect from ransomware attacks, but some policies won’t require that so there’s no need to build in such immutability.
Data flow diagrams are very helpful in tracking where data starts, where it can go, and identifying all the places where it could be compromised. Those are the places where technological safeguards need to go.
Pulling it all together
To recap, there are three layers to data governance: policies, standards, and technology (or procedures), and each one informs the next in that order. A simple example would be a company starting to do business in Europe and looking to make sure they have the proper data governance in place. The policy will read, in part: “We will comply with General Data Protection Regulation (GDPR) requirements.” The standards outlined by GDPR will clarify the behavior the company needs to take in order to meet those standards, for example utilizing a firewall at certain key points. And finally, the company will seek out the technology needed to get the firewall up and running effectively.
What are the first steps for companies looking to get data governance procedures in place? First, do a privacy assessment based on your mission and risk appetite. Then identify the requirements and draft policy documentation on managing data. The standards those policies require will lead to the design and implementation of the technologies needed to comply with the policy. And, of course, make sure to have the right people in place along every step of the way.
Not everyone has a full team they can rely on to build policies and standards and implement the needed technology. Small companies still need to keep their data governance practices up to snuff, though, so it’s best to reach out to security experts like those at Mission Cyber Group to get started on getting the right pieces in place for your data management processes. You can always drop David a line at [email protected], too.