[BreachExchange] Why data governance should be corporate policy

[Audrey McNeil]

https://www.csoonline.com/article/3269333/data-management/why-data-
governance-should-be-corporate-policy.html

Over the last eighteen months, we have been inundated by reports of
businesses who have suffered from devastating data breaches. A majority of
these incidents involved customer data that was entrusted to them. These
incidences impacted the affected organizations in many ways from executive
leadership stepping down to impending class-action lawsuits, or decreased
revenue from the loss of customer trust.

It’s this picture of dismal customer privacy and the business world’s lack
of security controls for this data that leads me to recall a question I
have heard many of my peers ask after hearing about the latest breach: Why
didn’t they have a data governance program?

Data governance is a methodical process an organization implements to
manage their data and ensure it meets specific standards and business rules
before entering it into a data management system. Data governance
encompasses people, processes, and technology; each connected together as
an essential program for different types of industries, especially those
that must meet regulatory compliance guidelines such as finance,
healthcare, or insurance. For companies in these industries to achieve
compliance, they must demonstrate that they have a formal data management
processes in place (using the above components) to govern their data
throughout its lifecycle.

Implementing data governance from a process perspective involves four
steps: data stewardship, data classification, data quality, and data
management. These steps include information on how a company defines what
the data types it owns; what data is considered critical to operations; how
this data should be audited; and if the data should be monitored, stored,
moved, changed, accessed and secured. It’s important to recognize that data
governance is an ongoing process that needs to be aligned with business
operations and evolve with the organization as it matures.

Here are the four main components of a successful data governance program:

1. Data stewardship

The process of identifying and assigning roles and responsibilities. This
step is where the business needs to identify who is creating its data, who
has overall responsibility for the data, who uses the data, who routes it,
and who oversees its use. The titles you typically see assigned under this
process are Data User, Data Owner, and Data Administrator.

2. Data classification

This step is one of the most important for the organization. During data
classification, the business will look at all of the data types it has
identified and categorize them into groups. These data groupings will have
labels such as “Public,” “Restricted,” or “Confidential.” With each label,
there should be a description of the types of data that fall into that
category and the security processes that should be followed in order to
manage and protect that specific data type. I have seen data matrixes used
as an aid to train employees on how they should protect the company’s
information. During this step, I recommend including stakeholders from the
various business units of the company because their insight will be needed.

3. Data quality

The next process of an enterprise data governance program will involve
employees who are using company data for specific operations. Data quality
is the process of measuring the reliability of current datasets to provide
information that can be used to make organizational decisions. If users
input data into business intelligence software that is not accurate, then
the resultant datasets used for strategic planning can be skewed. As you
can imagine, not getting this process right can significantly impact an
organization’s ability to conduct business. Data quality is the one
component of the data governance program that must be fully mapped,
managed, and audited to verify the resultant datasets are clean and
accurate.

4. Data management

The final process where all the organization's data governance efforts come
together. Here is where the company actively manages its data governance
efforts and involves the creation of the architectures and business
processes required to properly maintain the organization’s data through its
full lifecycle, from inception to retirement. During data management,
organizations will have data owners as members of long-term projects for
the implementation of data portals or cloud technologies. This process will
make business data usable in multiple formats and available to teams no
matter their location. It is in this process that workflows for how data
access will be mapped, implemented and audited in order to verify data is
protected with the right level of security.

In previous articles, I discussed how data privacy should be a strategic
initiativefor businesses. I stated that companies should train their
employees and make sure they understand that data privacy is an “every
employee” initiative. For firms to do this efficiently and continuously,
they need to enforce data governance processes. Data is like water, and
water is a fundamental resource for life, so data an essential resource for
the business. Data governance ensures this resource is protected and
managed correctly enabling us to meet our customer's expectations.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180426/d826ebac/attachment.html>