In today’s big data world, where approximately 2.5 quintillion bytes of data are created each day, it’s no wonder that companies are challenged by data governance. We think of data governance as how a company manages specific aspects of data such as availability, usability, integrity, and security. Data security governance oversees security through defined data protection and privacy policies.
Done well, data security governance can produce a framework that makes it easier for an organization to centralize and standardize their approach to enabling security across the data governance program. A mature data security governance program will not only outline the minimum requirements of the organization’s security program, such as compliance requirements, but also help a company better understand the data it needs to protect.
Security teams can leverage metadata—or data that describes data—to better understand the information and enable an organization to perform analysis to support decision making. Metadata exists as data in the context of who, what, when, where, why, and how. This information helps security teams identify the content of the larger data, including what it might mean, where companies should store it, how they can use it, and, if applicable, how to protect the data according to the data security governance programs policies and procedures. It's important to remember that companies need to protect metadata as well; information describing sensitive data sets could itself be sensitive, or inadvertently provide insight into gaining unauthorized access to sensitive data.
A successful data security governance program begins with a foundational framework that takes into consideration, people, processes, and technologies. It should encourage communication and foster a security-aware, data-centric culture, enabling the business to use information properly to better achieve business objectives. The NIST Cybersecurity Framework functions can help companies do that by taking the following five steps:
- Identify: Until an organization understands the business context, resources supporting critical functions, and related cybersecurity risks, they cannot accurately prioritize efforts. Businesses should work to identify categories such as assets, asset vulnerability, cybersecurity policies, and risk management strategies.
- Protect: Empower users to work safely with sensitive data by applying the right safeguards. This includes everything from workforce training to protective technology that ensure the security and resilience of the organization’s systems.
- Detect: Security teams should continuously monitor data access privileges to ensure the right people have access to the right data and they can keep infiltrators out. To do this, companies should keep an updated account of how business application users and admins are granted access to datasets.
- Respond: Constant monitoring will alert to any inconsistencies or changes to data access or activity so security teams can quickly remediate it. It’s also important to monitor data flow across geographic jurisdictions. For instance, if data moves to the EU or across U.S. state borders, the team may need to address new compliance needs.
- Recover: It’s really important to have timely recovery to normal operations so the team can reduce the impact of a cybersecurity incident. Businesses should work to create and maintain plans for resilience that can help restore impaired capabilities and services in the event of a cyberattack.
To adhere to these security controls for data, companies need to create and implement the appropriate technologies to address the goal of protecting data, and also ensure that people are properly trained. Companies also must stay as consistent as possible in their data security governance practices, as inconsistencies can open the organization to unknown or unrealized risk. For example, when sensitive data gets stored with inconsistent protections, the security controls become harder to manage effectively.
It's a balance though, as an organization must also accommodate varying departmental needs to access data sets, with each role typically having different objectives. For example, marketing may require personal information (PI) to perform outreach, and may have different requirements around storage and which elements they can access, where a support center will likely have a very different set of sensitive data that must get accessed and managed in a separate manner. The more procedures vary across the enterprise, the harder it is to track and manage in a mature manner, opening the organization to risk.
When it comes to data security governance, companies need to make sure that they have the proper framework in place to ensure they can protect their data along with the corresponding technology to ensure the security controls are being addressed. The framework should align to any policy, regulatory, or contractual compliance requirements and exceed them to the extent that the risk gets reduced to an acceptable level for the business.
Companies need to only store data when it’s required, limit access to least privilege, and when storage of sensitive data becomes required, implement adequate security and governance controls to protect the data’s value to the organization.
Marc Punzirudu, Field CTO, PKWARE
