4 key requirements for best practices in data governance
I believe we’re all willing to define the following as truth: information continually and freely circulates across and beyond enterprises, governments and social networks – aided by open, collaborative environments, mash-up technologies and intelligent information streams.
With the potential for information breaches and the chance of inappropriate disclosure or use of intellectual capital as a boardroom issue, businesses expect a continued focus on privacy and security. Practically though, businesses will balance this pressure with another truth: information is a commodity and its use and availability fuels the economy.
Given this reality, most businesses have one important question: “How can I prevent sensitive information from accidentally or illicitly being exposed?” It’s a significant question given the pace of information being exchanged between parties, often residing in non-secured areas and on non-secured devices.
The short answer is that users need to be placed on an information diet with regard to the sharing and accessing of information. Critical data should be made available to only those who should have access to it. For all others, access should be restricted.
This is the core tenet of a successful Information governance program. But, lest we panic, establishing a well implemented program not only reduces risk but improves the quality of user interaction with needed information sets, and decreases long term storage and security costs.
Let’s take a look at four key requirements for an effective program in this new world of data governance:
Information discovery and classification
Not all information needs to be managed and controlled in the same way. It should be classified into groups, with sensitive groups demanding more security control. In classifying and organizing information, the following needs to be addressed: What categories of information assets do we have (public, sensitive, confidential) and how valuable are these categories of information to the business? If it was lost or leaked, how impactful would it be to the organization? Classification can be achieved manually or automatically using special purpose tools designed to seek and find information buried within the environment.
Acceptable use of information policy
Today it seems that almost every user – whether it’s suppliers, partners, customers or employees – of IT systems and digitally held information is trusted. These users will have multiple digital identities that give them the ability to share information across many communication channels, such as email, instant messaging and Internet sessions. It’s critical they understand their roles and responsibilities with regards to information use and disclosure. It’s generally recommended that businesses issue a policy defining acceptable use of information and require users, where appropriate, to sign (digitally or physically) that they will comply with the policy.
Identity and Access Management
Telling people what their responsibilities are is not enough. Digital identity is a focal point in today’s global economy. Trustworthy credentials are required for any interaction or transaction. Are you going to transfer money or share confidential information with an entity you don’t know? Likewise, are you going to allow someone you don’t know (or don’t trust) to have access to your critical information?
Unfortunately, many organizations have not yet recognized the link between poor Identity and Access Management practices and information loss or disclosure. It’s critical that organizations automate the process of granting and maintaining digital identities, granting access to applications and information assets, and auditing user activities using Identity and Access management solutions.
There are three areas where organizations need to pay close attention:
· Securing information in databases to assure that only privileged users can make changes to the database structure.
· Ensuring that critical information is protected via encryption whether at rest or in flight.
· Monitoring information repositories to assure they are protected against attack with advanced intrusion detection systems.