Using Data Governance to Protect Sensitive Data

1
1
Copyright © 2018 Robert S. Seiner – KIK Consulting & Educational Services / TDAN.com
Non-Invasive Data Governance™ is a trademark of Robert S. Seiner & KIK Consulting
#RWDG @RSeiner
Real World Data Governance
Using Data Governance
to Protect Sensitive Data
Monthly Webinar Series Hosted by DATAVERSITY
Robert S. Seiner – KIK Consulting / TDAN.com
May 17, 2018 – 11:00 a.m. PT / 2:00 p.m. ET

2
2
#RWDG @RSeiner
Real-World Data Governance
Introduction
• Real-World Data Governance – Monthly Webinar Series
June 21, 2018 – Using Data Governance to Improve Data Understanding
July 18, 2018 – Improving Data Analytics with Data Governance
Third Thurs @ 2pm EST – Register at TDAN.com, KIKconsulting.com, DATAVERSITY.net
• Non-Invasive Data Governance Book
ISBN 9781935504856 / Technics Publishing / Amazon.com
• Speaking @ Dataversity Events
Data Governance & Information Quality (DGIQ) Conference – San Diego – June 11-15, 2018
Data Architecture Summit – Chicago – October 8-11, 2018
• Online Learning Plan
Non-Invasive Data Governance - DATAVERSITY Training Center
Seven Online Courses with Evaluations
• The Data Administration Newsletter (TDAN.com)
Twice Monthly – Data Articles, Columns, Blogs and Features
Produced by DATAVERSITY – Subscribe for emails
• KIK Consulting & Educational Services
KIKConsulting.com
Home of Non-Invasive Data Governance™

3
3
#RWDG @RSeiner
• In this webinar we will discuss:
– Tips and techniques for classifying data and defining data handling rules
– Delivering roles appropriate for protecting sensitive data
– Selecting appropriate data sharing processes to govern
– Incremental implementation to protect the entire organization
– Measuring protection to demonstrate governance performance
Using Data Governance to Protect Sensitive Data
Agenda for Today’s Webinar

4
4
#RWDG @RSeiner
• Data Governance
– Data Governance is the Execution and Enforcement of Authority
Over the Protection of Sensitive Data and Data-Related Resources.
• Data Stewardship
– Data Stewardship is the Formalization of Accountability
Over the Protection of Sensitive Data and Data-Related Resources.
Defining Data Governance

5
5
#RWDG @RSeiner
• Non-Invasive Data Governance™
– The practice of:
• applying formal accountability & behavior
• through non-invasive roles & responsibilities
• to existing and / or new processes
• to assure that the definition, production & usage of data
• assures regulatory compliance, security, privacy, protection & quality.
– Non-Invasive describes how governance is applied to assure
non-threatening management of valuable data assets.
Defining Data Governance
• The goal is to be:
 Transparent.
 Supportive.
 Collaborative.

6
6
#RWDG @RSeiner
• Definition of Data Classification
– The act of putting data into a category.
• Definition of Data Handling Rules
– The way data should be controlled according to it’s classification.
Tips / Techniques for Classifying Data, Defining Data Handling Rules

7
7
#RWDG @RSeiner
• Benefits of Data Classification
Significantly improve
Information Lifecycle Management (ILM) processes.
Provide ability to
systemically apply governance in the form of
compliance and risk management.
Data Classification

8
8
#RWDG @RSeiner
• Improve ILM processes and systemically apply governance
– Data Definition
– Data Production
– Data Usage
Data Classification

9
9
#RWDG @RSeiner
– Data Definition
• Data requirements gathering
• Data definition and associated rules
• Data documentation and metadata
– Data Production
– Data Usage
Data Classification

10
10
#RWDG @RSeiner
– Data Definition
– Data Production
• Data sourcing
• Data certification
• Data retention and elimination
– Data Usage
Data Classification

11
11
#RWDG @RSeiner
– Data Definition
– Data Production
– Data Usage
• Data privacy
• Data regulations
• Data understanding
• Data sharing
Data Classification

12
12
#RWDG @RSeiner
• Data Classification Categories – Samples
– Explicit Access Required
– Highly Sensitive
– Sensitive
– Internal Use Only
– Public
• The examples listed on the next few pages are only intended as rough guides.
Specific assets may require a higher or lower classification if they involve
particularly high-risk or low-risk matters.
Data Classification

13
13
#RWDG @RSeiner
– Explicit Access Required
• This category is reserved for information requiring the highest level of
security. Primarily this is information for which the Company has
contractually agreed to protect from exposure. Information in this
category if exposed would almost certainly lead to significant monetary
and/or reputational loss.
– Examples include:
• Combined sales figures or key metrics such as sales percentages
• Legal actions or pending litigation material
Data Classification

14
14
#RWDG @RSeiner
• Information that provides the organization with a very significant
competitive edge or is of such a nature that unauthorized disclosure
would expose the Company to the highest level of risk.
• Nonpublic customer identifiable information
• Nonpublic personally identifiable employee information such as medical
or bank account information
• Nonpublic information regarding key strategic initiatives and business
plans
• Information including notations, documentation and pricing structure
• Nonpublic financial information about the company
Data Classification

15
15
#RWDG @RSeiner
– Sensitive
• Nonpublic Company information that if disclosed would pose moderate
risk to the Company.
• Aggregate customer information or financial information that could be
used to reach conclusions pertaining to company performance.
• Key technical information (diagrams) of systems such as POS, store
systems, etc.
• Product or marketing plans, forecasts
• Intellectual property or internal business practices
• Confidential information received from third parties
• Contracts and contract terms
Data Classification

16
16
#RWDG @RSeiner
– Internal Use Only
• Information that is not intended to be published externally, but could
cause minor risk to the Company if released to unauthorized people or
entities. Access is limited to employees or other authorized individuals.
• Corporate policies
• Organization charts
• Access content
• Meeting minutes and agenda
Data Classification

17
17
#RWDG @RSeiner
– Public
• Information that is safe for external posting and is meant for general
information.
• Public web site information
• Published reports such as corporate earnings
• Annual reports
• Regulatory required communications
Data Classification

18
18
#RWDG @RSeiner
• Benefits of Data Handling Rules
– Clearly state how data must be handled
– Clearly state who can handle the data
– Clearly state when they can handle the data
– Clearly state what data can be shared
Data Handling

19
19
#RWDG @RSeiner
• Rules associated with how the data can be printed
• Rules associated with how the data can be displayed
• Rules associated with how the data can be transmitted / transferred
• Rules associated with how the data can be discussed
Data Handling

20
20
#RWDG @RSeiner
• Rules associated with granting permission to receive data
• Rules associated with access to data
• Rules associated with sharing handling rules with receiver
Data Handling

21
21
#RWDG @RSeiner
• Rules associated with when the data will be made available
• Rules associated with when the access to the data will be given
• Rules associated with when the access will be taken away
Data Handling

22
22
#RWDG @RSeiner
• Rules associated with how the data is classified
• Rules associated with who will classify the data
• Rules associated with how the rules will be communicated
Data Handling

23
23
#RWDG @RSeiner
• Handling Rules for data classified as:
– Sensitive
– Internal Use
– Public
Data Handling
• Handling Rules should include:
– Printing
– Electronic Distribution
– Physical Distribution
– Displaying
– Discussing

24
24
#RWDG @RSeiner
• Handling Rules – example:
– For Highly Sensitive data
• The data should be marked as “HIGHLY SENSITIVE”.
• Access is given based on need-to-know and requires an ID, with quarterly
validation by Data Owners.
• Copying and printing should be minimized. Data must be encrypted when being
stored or transmitted (i.e. emailed, mailed, etc.).
• Data should not be stored or transmitted outside internal facilities/networks
without documented Executive approval.
• Physical copies should be printed only when necessary and stored at internal
locations in locked facilities at all times when not in use.
• VP approval is required for redistribution. Printed copies should be transported by
authorized employees only, and receipt must be confirmed and logged.
• Discussion should occur only on company premises with authorized personnel. This
data should not be discussed over the phone.
Data Handling

25
25
#RWDG @RSeiner
– For Sensitive data
• The data should be marked as “SENSITIVE”.
• Access is given on a need-to-know and requires an ID along with biannual
validation by Data Owners.
• Data must be encrypted when stored or transmitted.
• Physical copies should be printed only when necessary at internal facilities, stored
only at internal locations in locked containers, and shared in private on a need-to-
know basis.
• Physical media should be sent through an accountable commercial delivery service
and the receipt must be confirmed and logged.
• Discussion of the data should be limited to employees, customers, or partners on a
need-to-know basis, only in private outside public hearing.
Data Handling

26
26
#RWDG @RSeiner
– For Internal Use data
• The data should be marked as “INTERNAL USE”.
• System access is granted based on need-to-know and requires an ID.
• The data should be stored only on internal networks/systems or sanctioned cloud
systems.
• Physical copies of the data should be printed only when necessary, stored securely,
and shared on a need-to-know basis.
• Physical media should be sent through an accountable commercial delivery service.
• Discussion of the data should be limited to employees, customers, or partners on a
need-to-know basis.
Data Handling

27
27
#RWDG @RSeiner
– For Public data
• When handling public data, mark it as “PUBLIC”.
• There are no other data handling requirements.
Data Handling

28
28
#RWDG @RSeiner
• Don’t forget to govern the …
… Definition of Data Classification and Data Handling Rules
… Production of Data Classification and Data Handling Rules
… Usage of Data Classification and Data Handling Rules
Data Classification and Data Handling

29
29
#RWDG @RSeiner
• Role Levels for Data Governance
– Executive – Steering Committee
– Strategic – Data Governance Council
– Tactical – Data Domain Stewards, Enterprise Data Stewards, Coordinators
– Operational – Operational Data Stewards (Definers, Producers, Users)
– Support – Data Governance Office (Team), IT, PMO, Legal, Communications …
Delivering Roles Appropriate for Protecting Sensitive Data

30
30
#RWDG @RSeiner
NON-INVASIVE DATA GOVERNANCE™ FRAMEWORK
Endorse
Processes
Resolution
Processes
EXECUTIVE
STRATEGIC
TACTICAL
OPERATIONAL
SUPPORT
Domain
Processes
Daily
Processes
Enforce
Processes
Metric
Approval
Act
Metric
Acceptance
Domain
Metrics
Daily
Measurements
Collect
Report
Metrics
Policy
Directive
Best Practice
Guidelines
Standards
Requirements
Workflow
Glossary
Dictionary
Metadata
KIK Artifacts
(Common Data
Activity Matrices)
Support
Sponsor
Understand
Meetings
Status
Subject
Project
Orientation
On Boarding
Ongoing
Plan
Develop
Deliver
Steering
Committee
(Delegate)
Council
(Decision)
Domain
Stewards
Owners
(Subject)
Data
Stewards
(Daily)
DG Lead
Work Groups
Partners
(Function)
Copyright © 2017 – Robert S. Seiner and KIK Consulting & Educational Services, LLC
LEVEL
EXECUTIVE – SENIOR LEADERSHIP TEAM
STRATEGIC – BUSINESS & TECHNOLOGY
TACTICAL – SUBJECT MATTER EXPERTISE
OPERATIONAL – DAILY JOB FUNCTION
SUPPORT – FUNCTIONAL MANAGEMENT
LEVELS
EXECUTIVE – SENIOR LEADERSHIP TEAM
STRATEGIC – BUSINESS & TECHNOLOGY MGMT
TACTICAL – SUBJECT MATTER EXPERTISE
OPERATIONAL – DAILY JOB FUNCTION
SUPPORT – FUNCTIONAL MANAGEMENT
COMPONENTS
ROLES (AUTHORITY) – FORMAL RESPONSIBILITY
PROCESSES – APPLICATION and ENFORCEMENT
COMMUNICATIONS – EDUC, TRN, AWARENESS
METRICS – MEASUREMENTS and KPIs
TOOLS – ARTIFACTS PURCHASED & DEVELOPED
Levels
Components
ROLES(AUTHORITY)
COMMUNICATIONS
TOOLS
METRICS
PROCESSES

31
31
#RWDG @RSeiner

32
32
#RWDG @RSeiner

33
33
#RWDG @RSeiner
• Executive – Steering Committee
– Mandate at a high level
– View Data Governance as playing an integral role
– Oversee enforcement of the rules associated with classification and handling

34
34
#RWDG @RSeiner
• Strategic – Data Governance Council
– Oversee the protection of sensitive data
– Approve the classification and handling rules
– Support ample communications about protecting sensitive data

35
35
#RWDG @RSeiner
• Tactical – Data Domain Stewards, Enterprise Data Stewards, Coordinators
– Define the rules associated with protecting data
– Communicate the rules associated with protecting data
– Enforce the rules associated with protecting data

36
36
#RWDG @RSeiner
• Operational – Operational Data Stewards (Definers, Producers, Users)
– Learn the rules associated with protecting sensitive data
– Follow the rules associated with protecting sensitive data
– Share the rules associated with protecting sensitive data

37
37
#RWDG @RSeiner
• Support – Data Governance Office (Team), IT, PMO, Legal, Communications …
– Guide the efforts to protect sensitive data
– Define the rules associated with protecting sensitive data
– Enforce the rules associated with protecting sensitive data

38
38
#RWDG @RSeiner
• When does Data Sharing take place?
– Hard-copy Reports
– Electronic Reports
– Ad-Hoc Queries
– File Transmissions
– Inter-Office Mail
– Files Acquired
– Data Display
– Conversation
Selecting Appropriate Data Sharing Processes to Govern

39
39
#RWDG @RSeiner
• What are Data Sharing processes?
– Defining, validating and approving (D-V-A) rules associated with data sharing
– D-V-A rules for determining who the data can be shared with
– D-V-A rules for determining when the data can be shared
– D-V-A rules for how the data can be physically sharing the data
– D-V-A rules for sharing the rules associated with sharing data
Selecting Appropriate Data Sharing Processes to Govern

40
40
#RWDG @RSeiner
• Rules for Incremental Implementation
– Do not boil the ocean when implementing data governance to protect data
– Identify an appropriate place to start
– Learn from your experience
– Over communicate whenever possible
Incremental Implementation to Protect the Entire Organization

41
41
#RWDG @RSeiner
• Start with a focused group
• Expand across business function
• Expand across locations and markets

42
42
#RWDG @RSeiner
• Depends on the data you are protecting (PII, PHI, IP, …)
• Depends on the level of support for the protecting sensitive data
• Depends on who is sponsoring the effort

43
43
#RWDG @RSeiner
• Audit your processes and learn from experience
• Measure the time-per-step to see inefficiencies and ineffectiveness
• Recognize people for their participation
• Relate governance efforts to calls for Continuous Improvement

44
44
#RWDG @RSeiner
– Over-communicate whenever possible
• Place reminders of appropriate behavior in appropriate places
• Communicate through existing means
• Create new ways to communicate
– Newsletters
– Bulletin Boards
– Lunch and Learns
– Town Halls

45
45
#RWDG @RSeiner
• How can Data Governance measure data protection
– Completed Steps of Data Protection
– Education by Group, Function, Location, People
– Data Protection Communication Outlets
Measuring Protection to Demonstrate Governance Performance

46
46
#RWDG @RSeiner
• Classification Rules Defined, Validated and Approved
• Data Handling Rules Defined, Validated and Approved
• Data Protection Communications Plan
• Data Protection Enforcement Plan

47
47
#RWDG @RSeiner
• Number of Groups, Functions, Locations, People Onboarded
• Percentage of the Organization Onboarded
• Updates to Data Protection Education Materials

48
48
#RWDG @RSeiner
• Count of Available Outlets
• Number of Outlets Utilized
• Data Protection Communication Effectiveness

49
49
#RWDG @RSeiner
• In this webinar we discussed:
– Tips and techniques for classifying data and defining data handling rules
– Delivering roles appropriate for protecting sensitive data
– Selecting appropriate data sharing processes to govern
– Incremental implementation to protect the entire organization
– Measuring protection to demonstrate governance performance
Today’s Webinar

50
50
#RWDG @RSeiner
• Robert S. Seiner
KIK Consulting & Educational Services – KIKconsulting.com
The Data Administration Newsletter – TDAN.com
Post Office Box 112571, Upper St. Clair, Pennsylvania 15241
412.220.9643,
rseiner@tdan.com
@RSeiner @TDAN_com
Contact Information

Using Data Governance to Protect Sensitive Data

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Using Data Governance to Protect Sensitive Data

Similaire à Using Data Governance to Protect Sensitive Data (20)

Plus de DATAVERSITY

Plus de DATAVERSITY (20)

Dernier

Dernier (20)

Using Data Governance to Protect Sensitive Data