Implementing Data Governance & ISMS in a University
1. Case study: Implementing
Data Governance and
ISMS at UNSW
Kate Carruthers
Version 1.0
March 2017
Classification: PUBLIC
2. This case study covers the complexities of implementing
data & information governance and an information &
security management system as part of a broader
cybersecurity framework at an institution like UNSW
Australia. It explores some of the unique challenges of
securing an institution that has over 50,000 students and
which undertakes research that ranges from open data to
personally identifying patient information.
16/08/2017 Data & Information Governance Office 1
4. The Group of Eight (Go8) is a
coalition of leading Australian
universities, intensive in research
and comprehensive in general and
professional education.
The Global
Alliance of
Technological
Universities is a
network of the
world’s top
technological
universities
APRU is a network of 45 premier
research universities from 16
economies around the Pacific Rim.
Universitas 21 is
the leading
global network of
research-intensive
universities.
The PLuS (Phoenix London Sydney) Alliance combines the
strengths of three leading research universities on three continents
to develop innovative solutions to these challenges in global health,
social justice and sustainability while progressing the responsible
innovation of advanced technologies
Alliances
16/08/2017 Data & Information Governance Office 3
7. 3 realms of data
16/08/2017 Data & Information Governance Office 6
Learning &
Teaching
Research
Administrative
Enterprise systems
Local Faculty-based
systems
Systems of record
Learning Management
Lecture recording
MOOCs
Research data
Publications
9. 16/08/2017 Data & Information Governance Office 8
Cybersecurity and enterprise risk
management are a key focus for
Council and Management
Data & information governance are a
key foundation for cybersecurity
Cybersecurity and enterprise risk
management are a key focus for
Council and Management
10. Data & information governance are a
key foundation for cybersecurity
Management
16/08/2017 Data & Information Governance Office 9
Data & information governance are a
key foundation for cybersecurity
14. Responses to the hack
War room
Perimeter defences
Visibility at Council level
Risk register
Appointment of dedicated Info Sec resources
16/08/2017 Data & Information Governance Office 13
15. Threats
1. Phishing, Whaling/Spear Phishing
2. Ransomware
3. DDOS/Zombie botnet armies
4. Big data
5. Ignorance
16/08/2017 Data & Information Governance Office 14
17. Work plan
16/08/2017 Data & Information Governance Office 16
Setup policy
framework
Re-establish Data
Governance
Committees
Establish Data
Ownership structure
Identify ‘Crown
Jewels’
Implement Data
Classification
Implement System
Classification
Implement ISMS
Implement Business
Glossary Tool
Implement Data
Quality Process
Implement Internal
Data Sharing
Agreements
Implement Reference
Data Management
Implement Master
Data Management
Done PlannedKey: In progress
18. The 4 dimensions Framework:
• provides enterprise wide roles and responsibilities to be accountable for decisions related to data assets
• establishes policies & procedures to manage the data assets
• provides diverse tools for managing operational data tasks
UNSW Data Governance Framework focuses on the oversight, guidance and quality
of enterprise data assets enabled through People, Policies, Procedures and Tools
Policies are high level statements that
provide context for strategic decisions
relating to the data assets
People are members of UNSW governance
bodies, which hold the authority for decision
relating to data assets
Tools are pre-prepared objects that support
people carrying out procedures
Procedures are specific instructions
designed to ensure policy is followed and
outcomes are measurable
Workflow for
Approval
Checklists
Issues
Register
Data Profiling
Data Sharing
Data Reporting
Regulatory
Compliance
Data Asset
Prioritisation
Data Exchange
Agreements
Data Process Flow
Data Integration
Data Security
Strategic Drivers
Dimensions
Enterprise
Oversight of Data
Enterprise
Guidance on Data
Enterprise
Quality of Data
Performance
Metrics
Policies Procedures Tools
Data Executives
Data Owners
Data Stewards
People
Data Creators/
Data Specialists
1 2 3 4
16/08/2017 Data & Information Governance Office 17
19. Alignment - Legal, Privacy, IT & Info Sec
Mar-2017 Data & Information Governance 18
Information literacy
Data driven improvements
Policies &
Standards
Information
Quality
Privacy,
Compliance,
Security
Architecture,
Integration
Establish
Decision Rights
Stewardship
Assess Risk &
Define Controls
Consistent Data
Definitions
Adapted from University of Wisconsin Data Governance Framework
20. Fundamentals
Data ownership
Data classification
Data handling guidelines
ISMS Standards
16/08/2017 Data & Information Governance Office 19
Boundaries between
Data Governance &
IT teams –
collaboration is
critical
21. Data Classification
16/08/2017 Data & Information Governance Office 5
Data Classification Example Data Types
Highly Sensitive
Data subject to regulatory control
Medical
Children & Young persons
Credit Card
Research Data (containing personal medical data)
Sensitive
Student and Staff HR data
Organisational financial data
Exam material
Exam Results
Research Data (containing personal data)
Private
Business unit process and procedure
Unpublished Intellectual property
ICT system design & configuration information
Public
Faculty and staff directory information
Course catalogues
Published research data
22. Data classification process
16/08/2017 Data & Information Governance Office 21
Apply the controls
Apply data classification to the Information Asset
Assess data risks
Identify the Information Assets
Identify the Data Owner
24. Security approach
Data Collection & Validation or Verification
Reporting of potential threats/risks and compliance – e.g. Heat maps to Security Forums
in each Faculty
Risk Workshops
Mitigation action plans
Ongoing Compliance Maintenance Process
16/08/2017 Data & Information Governance Office 23
Goal: Standardisation of cyber security management
processes across UNSW
26. What we’ve learned so far
1. Methodically build up info sec layers
2. Every day do one thing better
3. Data governance matters
4. Info sec is a team sport
16/08/2017 Data & Information Governance Office 25