7 Ways To Avoid Information Governance Pitfalls - InformationWeek
IoT
IoT
Data Management // Big Data Analytics
News
10/6/2015
11:06 AM
Lisa Morgan
Lisa Morgan
Slideshows
100%
0%
RELATED EVENTS
Moving UEBA Beyond the Ground Floor
Sep 20, 2017
This webinar will provide the details you need about UEBA so you can make the decisions on how bes ...Read More>>

7 Ways To Avoid Information Governance Pitfalls

Information governance practices must be updated as laws, technologies, and business models change. Here are seven ways to make sure you're governing your data effectively.
Previous
1 of 8
Next

(Image: Succo via Pixabay)

(Image: Succo via Pixabay)

The governance of information and data isn't a subject that only regulated companies need to worry about. Businesses, regardless of their size or the industry they're in, need to understand how they store and use data, and whether it's adhering to their own privacy policies or complying with a regulatory mandate. Without formal data governance, companies are managing the associated risks by default.

"Some organizations don't know where to start, so they bury their heads in the sand hoping it goes away, or they'll wait until they get burned and then they'll do something," said John Isaza, a partner at Rimon Law, in an interview. "And if they get burned, they may say we need to get burned again to see a pattern."

High-profile incidents, such as the Target and Ashley-Madison hacks, raise awareness of the problem but tend not to change the way individual companies operate, unless perhaps a direct competitor was breached. Even then, little if anything may change.

"It's not a question of if you'll have a data breach; it's when you'll have a data breach. We tend to forget that inadvertent data disclosure has a lot of problems with it, and it's a big portion of why these problems come up," said David Horrigan, e-discovery counsel and legal content director at e-discovery software provider kCura, in an interview. "Carelessness really has to be part of a governance policy."

Who is in charge of data governance varies depending on the size of a company, the industry it serves, and internal considerations. The players typically include some combination of IT leadership, business leadership, the chief security officer, the chief privacy officer, the records information manager, someone from the general counsel's office, and the person responsible for compliance.

"The justification for a team comes when you realize you're keeping a lot of data, you need to protect the data, quickly find the data, and make sure you know when you can get rid of the data," said Richard Lutkus, a partner at law firm Seyfarth Shaw, in an interview. "Once things get too hard for people to manage on their own, companies start looking at better ways to organize their data as they're implicated in more lawsuits."

Data governance is sometimes relegated to the IT team, especially when it is viewed in traditional IT terms. In fact, there is a debate about whether information governance and data governance mean the same thing or not -- and the explanations vary.

An Association of Information and Image Management blog describes information governance as "the overarching policies and processes to optimize and leverage information while keeping it secure and meeting legal and privacy obligations in alignment with stated organizational business objectives." Data governance is defined as consisting of "the processes, methods, tools, and techniques to ensure that data is of high quality, reliable, and unique (not duplicated), so that downstream uses in reports and databases are more trusted and accurate."

Semantics aside, neither data governance nor information governance alone is sufficient. We present some considerations that apply to both. After you've reviewed these, tell us about your own data governance experiences. Is your organization sticking its head in the sand, or leading the charge in good data governance practices? Tell us all about it in the comments section below.

Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include ... View Full Bio

Previous
1 of 8
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
UlfM645
50%
50%
UlfM645,
User Rank: Apprentice
10/8/2015 | 9:54:13 AM
Re: Automate policy enforcement
Policy is key - How could Experian allow decryption of 15 million Social Security Numbers? We know that most banks limit the amount you can withdraw from an ATM on a daily basis to limit fraud.

Encryption and decryption is only a way to enforce a security policy. A security policy can be applied to encryption or tokenization services. The PCI DSS Tokenization Guidelines, released 2011, suggests that tokenization systems can be configured to throttle or reject abnormal requests, reducing the potential exposure of unauthorized activity.

Also the Visa Tokenization Best Practices guide for tokenization, released in 2010, suggests that tokenization systems can be configured to throttle or reject abnormal requests, reducing the potential exposure of unauthorized activity.

I suggest that also all encryption/decryption services should apply similar rate limiting rules to prevent or limit theft of sensitive information from databases.

Ulf Mattsson, CTO Protegrity
UlfM645
50%
50%
UlfM645,
User Rank: Apprentice
10/7/2015 | 3:33:21 PM
Automate policy enforcement
I agree that "It's not a question of if you'll have a data breach; it's when you'll have a data breach," and "companies start looking at better ways to organize their data as they're implicated in more lawsuits." I also agree that "The policy may have been written a while ago. It may not have been updated, and perhaps nobody is following it."

I found great guidance in a recent report from Gartner. The report analyzed solutions for Data Protection and Data Access Governance and the title of the report is "Market Guide for Data-Centric Audit and Protection." The report concluded that "Organizations that have not developed data-centric security policies to coordinate management processes and security controls across data silos need to act."

I also agree that automated enforcement is need and "One way to enforce policies is to build compliance into systems" so "an organization can accomplish its information and data compliance goals without overly burdening everyday work tasks."

Ulf Mattsson, CTO Protegrity
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll