Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Data and information governance: getting this right to support an information security programme
1. Data and information governance: Getting this right to
support an information security programme
Ruth Robertson, Cardiff University
1/11/2016
2. Data and information governance:
Getting this right to support an
information security programme
Ruth Robertson
Deputy Director, Governance Team
Data & Information Governance Programme Manager
Cardiff University
5. Information Security
Framework Vision
The University will operate in a
manner where security of
information is balanced with
appropriate accessibility of
that information….
…providing the optimum level of
risk management to support the
University’s strategic goal of
being a world leading institution.
7. Data Management Model
Data Governance Data Management
Data Architecture Business Intelligence
Defined
accountability
framework, strategy,
roles,
responsibilities,
policies and
procedures
Consistent view of
data landscape:
definitions,
standards, principles
and models
Data
Management
Principles
Information lifecycle
management, Shared
Data management,
measuring and
improving data quality,
Data management
problem resolution
Capability to use
data to inform
operations and
strategy and to
optimise
performance
8. Data Management Principles
Data is a valuable shared resource
• Data is a University asset, shared across University
functions and organisations for multiple purposes and
managed appropriately throughout its lifetime
Rationale
• Data is a key strategic resource supporting all of the
University functions and must be managed in a fashion
that creates most value for the University as a whole
• Subject to legal and regulatory commitments, data is of
most value when it is shared and reused. Protection of
the University's data against loss, leakage and tampering
is of critical importance.
9. Changes to roles and
responsibilities
• Information assets > data domains (plus)
• Information asset owners > Data Leads (plus)
• Data stewards > System Owners (Business)
• Data custodians > System Owners (Technical)
10. Data & information
governance goals
• To define, approve and communicate data
management and information security strategies,
policies, standards, architecture, procedures and
metrics
• To manage information security risk and resolve data
management issues
• To understand and promote the value of data and
information assets
• To oversee conformance with the above and provide
a mechanism to manage necessary exceptions
11. Governance bodies
Data & Information Management
Oversight Group
Senior Information
Risk Owner
Senior System Owners, University
Data Steward & Data Leads
Head of IT
Architecture Data Architecture Group
IT Technical Design
Authority
University
Data Steward
Membership
Categories &
Entitlements
Group
Senior Systems
Owner (Technical)
12. Management of
information assets
Data Domains Information
systems
End user
devices
People
Responsible
owners
Data Leads Senior System
Owners
(Technical &
Business)
Colleges/
Schools/Depts
Individual
members of
staff
Human
Resources
Line managers
Types of
security
controls
applied
Classification;
data use
principles;
permitted use
policy,
processes and
procedures
Technical
design and
configurations;
access control
policy,
processes and
procedures
Technical
configurations;
acceptable use
policy,
processes and
procedures
Vetting;
training and
awareness
raising;
behavioural
policy,
processes and
procedures
13. Current state
• Data & Information Management Oversight –
wide scope
• Getting to grips with roles and applying checks
and balances – digital workplace system
business owner
• Developing data model and classifying data as
we go
Infosec and data management closely linked. Lots of work with the University’s Head of IT Architecture as data architecture and systems control underpin both. Data management principles at the core of this. Already working on these in a separate initiative fuelled by HESA and BI.