Your company holds a lot of data in digitized format. Some of that information relates to contracts and business processes. Your competition would like to get hold of those details. Other data on your system records personal details of employees, customers, and sometimes suppliers. You particularly need to prevent access to this information because there are legal requirements that expect you to protect this category of data. The loss of income that legal action would cause could close down your enterprise.
So, you need to protect all of the data on your system – that means information about how you do business and information about others. In the case of your business records, you also need to protect it from destruction. Data governance is the method that you use to keep information secure.
We get into a lot of detail on data governance and the tools we include below, but in case you are short of time, here is our list of the best tools for data governance tools:
- SolarWinds Access Rights Manager (FREE TRIAL) Controls document and resource access.
- ManageEngine ADAudit Plus Manages log files and produces standards compliance audits.
- Smartsheet Data governance project templates.
- SENF Locates sensitive data.
- N-able Backup For data discovery, backup, and recovery.
- Blackberry Unified Endpoint Management Secures access to applications and data on all endpoints, including mobile devices.
- SolarWinds Security Event Manager (FREE TRIAL) Collects and manages log files, protecting them against tampering.
- OSSEC An intrusion prevention system.
- Symantec Data Loss Prevention Protects data from theft.
There are three categories of threats to the data on your system:
- Outsider intrusion
- Insider theft
- Corruption or destruction
Although your IT system is a very efficient automatic data processor, the way organizations store the information that feeds into it can be very haphazard. You will be surprised to learn that you probably do not know where all of your data is held.
When you move towards a data governance policy, you first need to locate all instances. You should decide whether to centralize all data or leave it in distributed locations. Either way, you need to back them up. You should create a backup strategy that decides the frequency of copying and whether those copies should be made available live, should be stored as versions of files, should be replacements of existing backups, and what recovery procedures you should implement. You should decide where those backups are kept and you need to ensure that they are secure.
Once you have gotten your data protection in place, you need to work out how data is going to be made available to employees, exactly who should be able to see it, who can change it, who can delete it, and who can copy it.
You also need to decide how long you should keep each category of data and how you should securely retire it.
Data loss protection vs data continuity vs data stewardship vs data governance
The section above outlines the tasks you need to perform in order to manage the data in your business. However, there are several terms that describe these responsibilities.
The protection of data from theft is called “data loss protection.” The backing up and recovery of data is called “business continuity.” “Data stewardship” is the practice of ensuring that no one is able to use the information that you store for purposes other than the explicit needs of your business. “Data governance” covers all of these data management processes.
A priority of data governance is to recognize the value of data. That is not just its value to you and your business, but also the value that it could have to others.
The value of data protection measures lies in the cost to the business of paying compensation to individuals should it be stolen and abused for malicious purposes. Another cost of data disclosure is the effect of legislation. Your business can be fined or shut down by the government if you don’t protect the data held about other businesses and private individuals. You and key employees could be imprisoned, and you could all be banned from holding positions of responsibility.
Loss of reputation is another potential cost of data loss and lack of correct data governance. Conversely, effective data governance assures trust in your brand, enhances your business’s reputation, and strengthens the enterprise’s money-making potential.
Implementing data governance
Data governance is implemented by tools. You should put in place automated procedures to manage your data and secure it rather than expecting a technician to implement the strategy manually. However, there are many variables within each task that need to be set. So, you will need to make a lot of decisions upfront about how you implement your data governance policy.
The key deliverable for data governance is a policy document. This should outline all of the requirements of the data management system that will be put into place. You will decide on the goals and time horizons for each area of management.
Examples of the type of decisions that you need to make include the number of “days data” that your company could afford to lose. This will dictate the frequency of backups. You should write out a policy for each category of the data that your company holds:
- Financial data
- Operational transaction data
- Business reference information (contracts and plans)
- Personally identifiable information
Your obligations for each type of data are different. You should also identify the data security standards that are relevant to your industry and domicile.
Data governance policy
The actual document that you will produce in your strategy phase is the data governance policy. A key point in this document is the definition of user roles for each category of data. First, you need to nominate a Chief Information Officer (CIO) and the technicians and administrators who will be in charge of implementing the data governance policy. This team is called the Data Governance Board and will carry out the work to create, refine, and implement the data governance policy.
Identify the job types that need to have data access. Each should have access rights to see, create, amend, or delete data. Keep in mind that sensitive data will be held in documents and database. The usage of each should be guided by applications, such as document management systems and data access screens – ensuring that no one gets direct access to data and that all actions that operate on your data stores are logged.
The exact steps that you need to implement data governance depend greatly on the type of data that your business handles. Create a project library for your governance policy, start off with an overview definition, and work down to more and more details. The Data Governance Institute proposes the following project framework:
Rules and Rules of Engagement
- Mission and Vision
- Goals, Governance Metrics and Success Measures, and Funding Strategies
- Data Rules and Definitions
- Decision Rights
People and Organizational Bodies
- Data Stakeholders
- A Data Governance Office
- Data Stewards
- Proactive, Reactive, and Ongoing Data Governance Processes
Data governance implementation
The implementation of a data governance policy is called “data management.” The strategy needs to be integrated into day-to-day working practices and should be a specific process. The Data Governance Board will continue to monitor the effectiveness of the policy and make adjustments accordingly.
Your data management task will fall into the following categories:
- Data discovery
- Access rights management
- Access logging and log management
- Intrusion prevention
- Standards compliance auditing
- Data backup strategy
- Data recovery strategy
For each of these tasks, you will need an automated tool. You are unlikely to find a single data management tool that you like and that effectively performs all of the processes that you will need to implement. Look for a blend of separate tools that you can organize into your own data management suite.
Data management tools
You can read more about these tools in the following sections.
SolarWinds Access Rights Manager will give you a report of your current user community and the permissions granted to each person. This is your starting point for the user management aspect of the data governance strategy. Once you have defined clear user groups, assigned individual accounts to groups, and set the permissions for each, you can implement that new policy through the Access Rights Manager.
- Provides a clear look into permission and file structures through automatic mapping and visualizations
- Preconfigured reports make it easy to demonstrate compliance
- Any compliance issues are outlined after the scan and paired with remediation actions
- Sysadmins can customize access rights and control in Windows and other applications
- SolarWinds Access Rights Manager is an in-depth platform designed for sysadmin which may take time to fully learn
The tool monitors Active Directory, Microsoft Exchange, Windows File Share, and SharePoint. The reporting module includes auditing for GDPR, HIPAA, and PCI DSS compliance. The software installs on Windows Server and you can get it on a 30-day free trial.
ADAudit Plus is a useful tool for implementing SOX, HIPAA, PCI DSS, FISMA, GDPR, and GLBA compliance. The “AD” in the name of the tool explains that this security system focuses on Active Directory. The tool monitors your AD implementation, logging any access to the permission database and backing up changes so that they can be reversed.
The dashboard for the tool displays alerts every time permissions are changed or user records are added or deleted. ADAudit Plus logs can be archived and stored for three years, making them available to the tool’s reporting and auditing utility.
- Detailed reporting, can generate compliance reports for all major standards (PCI, HIPAA, etc)
- Supports multiple domains, great for large enterprises
- Supports delegation for NOC or helpdesk teams
- Allows you to visually view share permissions and the details of security groups
- Has a steeper learning curve than similar tools
This tool installs on Windows and is available in both free and paid editions. You can get a 30-day free trial of the Professional edition.
Smartsheet is a team project library application. The tool includes template forms that are specifically written for data governance. You set a project mission and then follow through many layers of forms, assigning tasks with deadlines to different team members or groups. The environment also includes planning utilities, such as critical path analysis and timeline estimates.
- Designed specifically for data governance
- Offers many customization options
- Features solid team collaboration tools
- Dual-purpose, can use for managing other projects
- Very manual process, would like to see more examples and templates for new users
- Can be tough to use without planning or guidance
Smartsheet isn’t just a data governance planning tool. You can use it to manage any project that your company takes on once the data governance project has been settled. It can even be used as a Help Desk management system. You can get a 30-day free trial of Smartsheet that will give you the opportunity to see the different business functions that it could support.
When you implement your data governance policy, your first task will be to locate all of the data on your system. If you hold personally-identifiable information, you will find SENF useful.
The program performs a system search for data format patterns, such as credit card numbers and social security numbers. The results report gives you the locations of these data instances.
- Supports cross-platform functionality across Windows, Linux, and Mac OS
- Is easy to launch and doesn’t stress systems resources
- Fairly limited in what it can do proactively
- Compared to newer tools, SENF is outdated in terms of functionality
- Was removed from GitHub, can be hard to find
“SENF” stands for “Sensitive Number Finder.” It is a free tool that was developed by the University of Texas at Austin’s Information Security Office – they still maintain and develop the program. SENF runs on Windows, Linux, Mac OS, and Unix. The software has been available on a GitHub repository but has been removed since this article was first published.
The N-able MSP Backup service combines backup management software and the storage space – the company operates data centers around the globe. Cloud storage is the best solution for backup – keeping copies on your own site risks both the original and backup being destroyed by environmental events.
- The interface is simple and easy to learn
- Designed with MSPs in mind, with multi-tenant features and reporting capabilities
- Scales well as a cloud-based application
- Can back up data from other cloud providers like OneDrive
- N-able Backup is a highly detailed tool designed for IT professionals and may take time to fully explore all features available
Data transfers are made quicker through compression. Data is protected by AES encryption, both in transit and in the cloud storage. Only your account has access to the decryption key, so even the data center staff is unable to read your records. The dashboard enables you to command data recovery to your site or to a different site. N-able offers a 30-day free trial of the Backup service.
Available for installation on site or as a Cloud service, this system manages mobile devices with Windows, macOS, iOS, Android, Windows Phone, and BlackBerry and also wearable devices and IoT equipment. You can configure devices en masse by device type or user function and create secure areas for corporate use on user-owned devices.
Different plans include different levels of functions. You can include mobile application management and mobile content management, which will protect the documents and data accessed from mobile devices. Other options include secure email, messaging, and collaboration software.
- Sleek highly customizable interface
- Cross-platform support with Windows, Mac OS, Linux, Android, and iOS
- Available on-premise and as a cloud service
- Would like to see more options for mobile security
- Message sync can delay emails
- Implementation is fairly complex when compared to similar solutions
Blackberry UEM can be assessed with a free trial.
Gathering event messages and storing them in log files is an essential task for data governance. You need to track all actions performed on data and store records of those events. You also need to ensure that intruders can’t cover their tracks by modifying the records in log files. The SolarWinds SecurityEvent Manager performs all of these tasks.
The dashboard for the tool shows all log messages live as they travel to files. The data viewer includes analysis utilities. The tool includes pre-written report formats for auditing compliance with data protection standards. The Security Event Manager runs on Windows Server, but it is able to collect log messages arising from any operating system.
- Built with enterprise in mind, can monitor Windows, Linux, Unix, and Mac operating systems
- Supports tools such as Snort, allowing SEM to be part of a larger NIDS strategy
- Over 700 pre-configured alerts, correlation rules, and detection templates provide instant insights upon install
- Threat response rules are easy to build and use intelligent reporting to reduce false positives
- Built-in reporting and dashboard features help reduce the number of ancillary tools you need for your IDS
- Feature dense – requires time to fully explore all features
You can try SolarWinds SecurityEvent Manager on a 30-day free trial.
This open-source, free intrusion prevention system is owned by cybersecurity company, Trend Micro. The tool checks on details in log files and automatically takes action to block user accounts and transmission source IP addresses.
The connection between a detected event and a remediation action is called a “policy.” It is possible to write these rules yourself. However, the active user community for the tool is a good source for pre-written policies. The community provides tips and tricks for OSSEC and you can buy a support package as an addition from Trend Micro.
OSSEC can be downloaded from GitHub and it runs on Unix, Linux, Mac OS, and Windows. There is no front end for this tool, but you can interface it with Kibana, Splunk, or Graylog.
- Can be used on a wide range of operating systems, Linux, Windows, Unix, and Mac
- Can function as a combination SIEM and HIDS
- Interface is easy to customize and highly visual
- Community-built templates allow administrators to get started quickly
- Requires secondary tools like Graylog and Kibana for further analysis
- Open-source version lacks paid support
Symantec Data Loss Prevention scans your system for sensitive data on installation. The software is driven by policies, which dictate the actions that the service will take on detection of unacceptable actions. These actions are all logged, which makes the auditing capabilities of the tool good for HIPAA, GDPR, and PCI DSS standards compliance.
Sensitive documents are encrypted and access to them is controlled by authentication. Copying, movement, and emailing of these files can be banned and you can fingerprint every copy when files are distributed, making it easy to detect the source of leaks. The system is also able, on command, to destroy files completely, leaving no traces on the device. The tool includes user tracking, which is useful if you need to investigate an account that has triggered an alert through suspicious activity.
- Combines DLP with user activity tracking, giving it additional functionality
- Automatic scanning can map out sensitive locations where data is stored
- Offers pre-built temples and works flow for major compliance standards, offering good out of box functionality
- Supports file integrity monitoring through a fingerprinting system
- Could integrate better with other Symantec tools
- Need better Mac functionality
Data governance FAQs
What are data governance tools?
A data governance tool is a system that enables the creation and enforcement of data security and privacy policies. These tools track events that occur on data and record them for data privacy auditing as well as control access.
What is data governance?
Data governance applies security and privacy rules to data access events. For example, your business might operate in the health care sector and need to comply with HIPAA in order to attract business. In this case, you would need to ensure that the HIPAA requirements are enforced throughout your organization. Another example comes from businesses that accept credit card payments. In this case, the business would set its data governance policy so that it enforces compliance with the PCI DSS standard.
What is data governance in ETL?
Extract, transform, load (ETL) involves moving or copying data from one location to another and also altering the format or context of that data in the process. This can be problematic for compliance with data privacy standards because you have to maintain the integrity of data. The meaning of the data’s original context has to be preserved in order to keep a proper and truthful record. Your data governance standard should ensure that the meaning of the data isn’t altered by changing its context during ETL processes.
What is a data governance solution?
A data governance solution is a software package that contributes towards the enforcement of data protection standards within a business. A service does not need to be a complete, closed-loop system in order to qualify as a data governance solution. It can make a partial contribution to the overall data governance enforcement strategy of the business and still be regarded as a data governance solution.