Maksim Kabakou - Fotolia

Security Think Tank: Data governance is good for business and security

Why is it important to know where data flows, with whom it's shared and where it lives at rest, and what is the best way of achieving this?

The footprint of data created and used by an organisation continues to grow exponentially. The organisational value of each piece of data varies as it makes its journey through the stages of the information lifecycle. These stages are: create, process, store, transmit, destroy.

Information can be recreated, either replicated or in a slightly altered form, particularly in the “process” and “store” stages of the lifecycle. This contributes to the significant footprint of information throughout the organisation.

Furthermore, information can be found beyond the traditional boundaries of the enterprise. Most organisations, irrespective of size, operate heterogenous IT environments, with a range of on-premises, and public, private, and hybrid cloud.

Good information governance – indeed, common sense – dictates that an organisation should regularly backup its data. This ensures that, if required, essential information can be restored as needed – but it also further extends the footprint of information that an organisation needs to have knowledge and control of.

Compliance is a leading reason for knowing where your data is. Throughout the information lifecycle, the security, privacy, and regulatory aspects of data management have driven many existing data governance programs.

The General Data Protection Regulation (GDPR) dictates that information about EU citizens must be secured and protected, but we can only secure and protect what we know we have.

Furthermore, the “right to be forgotten” means that we need to know where all relevant information is held. The “destroy” phase of the information lifecycle has often been neglected, but its importance has been raised through privacy legislation.

Read more about information management

Additionally, the integrity of data is essential if the enterprise is to use the data appropriately and effectively throughout the information lifecycle. Having multiple versions of the same piece of data can cause integrity issues when an information worker does not know which is the right version, or indeed may not even be presented with a choice.

Knowing where data is held, means that it can be utilised effectively. Also, ensuring that the data is organised, stored properly, and formatted appropriately supports the more effective use of that data in analytics and other applications.

Strong data privacy practices cannot be implemented by security tools alone, and instead require a fundamental cultural shift in the business. In the self-service era, this means that all business users must be trained and aware of data privacy topics, and data privacy practices such as data minimisation must be practised by everyone that uses data in their daily roles.

This requires a cross-disciplinary approach, with an enterprise privacy “task force” composed of high-level executives across business units. Not only does the business need to be cognizant of how it handles data internally, but it also needs to be vigilant of the data handling practices of partners and third-party organisations. It requires cooperation both internally within the business, as well as strong external relationships and lines of communication.

For new deployments, project development should incorporate the mapping of the flow of data throughout the system. Many organisations already do this as part of data privacy (to comply with the GDPR).

This can help to control the footprint that is left by data as it moves through the information lifecycle. For existing systems, the ability to map the data becomes more complex, as it involves mapping flows through existing systems and often highly complex relationships with external parties. Again, many organisations have undertaken this process as part of GDPR compliance.

Knowing what data your organisation is responsible for, where it is, and how it is maintained has been elevated to a priority for enterprises. This is no bad thing; we must do to our data what we expect others to do with data about us.

Read more on Privacy and data protection