• Digital Forensics and Incident Hotline: (405)562-9945

  • Data Governance Programs

  • Data Governance Programs are important for controlling the data your organization processes, produces, and stores. Data is the greatest risk today in most organizations and is also the currency on which many organizations operate.

    Your data can be centralized in a certain location like a file server or decentralized across many locations within your organization. Data is decentralized in many of the organization we consult with. Data is stored in file shares, cloud service providers, email clients, and other areas where you wouldn’t expect to find business critical data.

    The data governance issue is a result of:

    • The data in your organization is growing exponentially.
    • This can be attributed to new data, modified data, and duplicated data.
    • Lack of data change management and version control.

    Data at scale is difficult to manage. Without a data governance program, it can be very much like the “wild west” from a data perspective.

    Data governance in that context is based on tribal knowledge or at the direction of someone who has put together an ad-hoc data governance program. Technical controls can help, but they might need to be inserted on file servers, email servers, firewalls, and other network endpoints in order to monitor, log, and alert for your data access control policies.

    Reduce Risk to Data

    Considering all the data being processed, produced, and stored, there is a considerable amount of risk that goes along with the data.

    Shadow IT: We see this in organizations where IT and Information Security don’t act as a business enabler End users will seek outside solutions that help get their work done.

    One of the problems with Shadow IT and end users procuring their own solutions is that it bypasses vendor management, contract requirements, SLAs, security controls, and incident response capabilities if needed.

    Insider Threat: Can be malicious behavior or the result of an accident.

    The majority of the incidents I’ve worked over my career have been due to an insider more so than a bad actor Organizations need to monitor what activities are taking place internally when it comes to data access and governance.

    Breaches are ever increasing as we see in the news today. We see this as a result of supply chain attacks, malware/ransomware attacks, and data mishandling.

    Unauthorized access happens in a lot of organizations more often than you might think. You have ad-hoc file shares being set up that turn into data repositories for any and all data simply because it’s more convenient than going through the correct provisioning process.

    Starting a Data Governance Program

    Data Governance usually means starting with a data classification program. This is where a lot of organizations hit a roadblock. The problem is determining who’s responsible for classifying the data. I’ve been in conversations where it was suggested that IT was responsible, then it shifted to information security, then to the department that created the data, and then finally somehow HR was responsible for classifying data.

    Regardless of who is responsible for classifying the data, you need to have a baseline set of rules that everyone can agree on. This might be determined by business process management, regulatory requirements, business policies, or audits and risk assessments.

    If you are subject to regulations such as GLBA, GPDR, or HIPAA, you most likely already have some form of a data governance program. Data classification and data governance should be a part of the larger Governance, Risk, and Compliance Program in a best-case scenario.

    Data Governance Challenges

    Remote Work influences changes in behavior based on surroundings. For example, the visual cues in the office on how data should be handed versus the less formal home setting.

    Cloud Storage poses some challenges in that some cloud services do not provide governance controls. I Recently had someone reach out to me the other day about how to control access in a popular free cloud storage service. Encryption is another issue we are seeing more of – Can the cloud storage provide encrypt the data in transit and at rest?

    BYOD: We are seeing more of this with remote work. This can be due to a shortage of mobile devices or employers wanting to save money.

    BYOD presents challenges how how to separate personal from business data, how to wipe the business data from the device if needed, and this can also be an issue during e-Discovery.

    Technical controls require additional costs, licensing and administration. In this are you see things like DLP, encapsulation of the documents where a special add on application is required to read documents like PDFs, Word Documents, and Excel Documents.

    Data Governance Framework

    A good approach to starting a Data Governance Program is to utilize an industry standard framework. NIST has a Privacy Framework that has some good guidance.

    At a high level what we are trying to do here is ensure the privacy of our data, that is preventing exposure, unauthorized access, and implement the appropriate administrative and technical controls for the data. The Privacy Framework includes all those various perspectives.

    NIST Privacy Framework for data governance

    If you look at the Venn diagram in the image above, you can see that the NIST Privacy Framework on the right-hand side overlaps with the NIST CSF on the left-hand side of the slide.

    The NIST CSF consists of the five functions of Identify, Protect, Detect, Respond, and Recover.

    The NIST Privacy Framework consists of Identify, Govern, Control, and Communicate.

    Between the two, we can see that the Protect-P function overlaps with the Detect, Respond, and Recover functions of the NIST CSF for privacy related events.

    The Privacy Framework provides a common language for understanding, managing, and communicating privacy risk with internal and external stakeholders. It Consists of the Core, Profiles, and implementation tiers.

    The Core provides an increasingly granular set of activities and outcomes that enable an organizational dialogue about managing privacy risk

    Profiles are a selection of specific Functions, Categories, and Subcategories from the Core that an organization has prioritized to help it manage privacy risk

    Implementation Tiers support communication about whether an organization has sufficient processes and resources in place to manage privacy risk and achieve its Target Profile

    It’s important to note that this is a voluntary framework used as a risk based approach. The Core is not a checklist of actions to perform. You should select the subcategories that aligns with your overall data governance program.

     The five Privacy Framework Functions are defined as follows:

    Identify-P Is a foundational function and focuses on the organizational understanding to manage privacy risk for individuals arising from data processing.

    Govern-P  Is also a foundational control.

    This one develops and implements the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.

    Control-P Develops and implements appropriate activities to enable organizations or individuals  to manage data with sufficient granularity to manage privacy risks from the standpoint of both organizations and individuals.

    Communicate-P Develops and implement appropriate activities to enable organizations and  individuals to have a reliable understanding and engage in a dialogue about how data is processed and associated privacy risks.

    The Communicate-P Function recognizes that both organizations and individuals may need to  know how data are processed in order to manage privacy risk effectively.

    Protect-P Develops and implements appropriate data processing safeguards. The Protect-P Function covers data protection to prevent cybersecurity-related privacy events, the overlap between privacy and cybersecurity risk management.

    At a high level, these are the functions associated with a data governance program.

    Privacy Framework Functions

    Within the NIST Privacy Framework is a table that outlines the categories and activities for implementing a privacy program or data management program.

    This is only a small snapshot of the approximately 2.5 pages of the table:

    NIST Privacy Framework Functions for data governance

    In this table let’s look at the Function Column and the Category Column.

    For example, the Identify function includes: Inventory and Mapping, Business Environment, Risk Assessments, and the Data Processing Ecosystem Risk Management Process.

    The Govern Function includes:

    • Governance Policies, Processes and Procedures
    • Having a Risk Management Strategy
    • Awareness and Training
    • Monitoring and Review

    Dropping down to the Protect Function, you can see that that includes Data Protection Policies, Processes, and Procedures. Then you have Identity Management, Authentication and Access Control, Data Security, Maintenance, and Protective Technologies.

    I don’t recommend attempting to implement all the items in the full table at once, because there’s a lot to do here. This is something that needs to be implemented in context with how your organization operates, and along with your strategic plan for your security program.

    If you wanted to pick a starting point for all these activities, I would suggest starting with a data risk assessment, or privacy impact assessment and start with the activities that reduce the most risk first.