Your company holds a lot of data in digitized format. Some of that information relates to contracts and business processes. Your competition would like to get hold of those details. Other data on your system records personal details of employees, customers, and sometimes suppliers. You particularly need to prevent access to this information because there are legal requirements that expect you to protect this category of data. The loss of income that legal action would cause could close down your enterprise.
So, you need to protect all of the data on your system – that means information about how you do business and information about others. In the case of your business records, you also need to protect it from destruction. Data governance is the method that you use to keep information secure.
There are three categories of threats to the data on your system:
- Outsider intrusion
- Insider theft
- Corruption or destruction
We get into a lot of detail on data governance and the tools we include below, but in case you are short of time, here is our list of the best tools for data governance tools:
- SolarWinds Access Rights Manager (FREE TRIAL) Controls document and resource access
- Smartsheet Data governance project templates
- SENF Locates sensitive data
- SolarWinds MSP Backup For data discovery, backup, and recovery
- Blackberry Unified Endpoint Management Secures access to applications and data on all endpoints, including mobile devices
- SolarWinds Security Event Manager (FREE TRIAL) Collects and manages log files, protecting them against tampering.
- OSSEC An intrusion prevention system
- Symantec Data Loss Prevention Protects data from theft
- ManageEngine ADAudit Plus Manages log files and produces standards compliance audits
- 1 Data controls
- 2 Data loss protection vs data continuity vs data stewardship vs data governance
- 3 Implementing data governance
- 4 Data governance policy
- 5 Data governance implementation
- 6 Data management tools
Although your IT system is a very efficient automatic data processor, the way organizations store the information that feeds into it can be very haphazard. You will be surprised to learn that you probably do not know where all of your data is held.
When you move towards a data governance policy, you first need to locate all instances. You should decide whether to centralize all data or leave it in distributed locations. Either way, you need to back them up. You should create a backup strategy that decides the frequency of copying and whether those copies should be made available live, should be stored as versions of files, should be replacements of existing backups and what recovery procedures you should implement. You should decide where those backups are kept and you need to ensure that they are secure.
Once you have gotten your data protection in place, you need to work out how data is going to be made available to employees, exactly who should be able to see it, who can change it, who can delete it, and who can copy it.
You also need to decide how long you should keep each category of data and how you should securely retire it.
Data loss protection vs data continuity vs data stewardship vs data governance
The section above outlines the tasks you need to perform in order to manage the data in your business. However, there are several terms that describe these responsibilities.
The protection of data from theft is called “data loss protection.” The backing up and recovery of data is called “business continuity.” “Data stewardship” is the practice of ensuring that no one is able to use the information that you store for purposes other than the explicit needs of your business. “Data governance” covers all of these data management processes.
A priority of data governance is to recognize the value of data. That is not just its value to you and your business, but also the value that it could have to others.
The value of data protection measures lies in the cost to the business of paying compensation to individuals should it be stolen and abused for malicious purposes. Another cost of data disclosure is the effect of legislation. Your business can be fined or shut down by the government if you don’t protect the data held about other businesses and private individuals. You and key employees could be imprisoned, and you could all be banned from holding positions of responsibility.
Loss of reputation is another potential cost of data loss and lack of correct data governance. Conversely, effective data governance assures trust in your brand, enhances your business’s reputation, and strengthens the enterprise’s money-making potential.
Implementing data governance
Data governance is implemented by tools. You should put in place automated procedures to manage your data and secure it rather than expecting a technician to implement the strategy manually. However, there are many variables within each task that need to be set. So, you will need to make a lot of decisions up front about how you implement your data governance policy.
The key deliverable for data governance is a policy document. This should outline all of the requirements of the data management system that will be put into place. You will decide on the goals and time horizons for each area of management.
Examples of the type of decisions that you need to make include the number of “days data” that your company could afford to lose. This will dictate the frequency of backups. You should write out a policy for each category of the data that your company holds:
- Financial data
- Operational transaction data
- Business reference information (contracts and plans)
- Personally identifiable information
Your obligations for each type of data are different. You should also identify the data security standards that are relevant to your industry and domicile.
Data governance policy
The actual document that you will produce in your strategy phase is the data governance policy. A key point in this document is the definition of user roles for each category of data. First, you need to nominate a Chief Information Officer (CIO) and the technicians and administrators who will be in charge of implementing the data governance policy. This team is called the Data Governance Board and will carry out the work to create, refine, and implement the data governance policy.
Identify the job types that need to have data access. Each should have access rights to see, create, amend, or delete data. Keep in mind that sensitive data will be held in documents and database. The usage of each should be guided by applications, such as document management systems and data access screens – ensuring that no one gets direct access to data and that all actions that operate on your data stores are logged.
The exact steps that you need to implement data governance depend greatly on the type of data that your business handles. Create a project library for your governance policy, start off with an overview definition, and work down to more and more details. The Data Governance Institute proposes the following project framework:
Rules and Rules of Engagement
- Mission and Vision
- Goals, Governance Metrics and Success Measures, and Funding Strategies
- Data Rules and Definitions
- Decision Rights
People and Organizational Bodies
- Data Stakeholders
- A Data Governance Office
- Data Stewards
- Proactive, Reactive, and Ongoing Data Governance Processes
Data governance implementation
The implementation of a data governance policy is called “data management.” The strategy needs to be integrated into day-to-day working practices and should be a specific process. The Data Governance Board will continue to monitor the effectiveness of the policy and make adjustments accordingly.
Your data management task will fall into the following categories:
- Data discovery
- Access rights management
- Access logging and log management
- Intrusion prevention
- Standards compliance auditing
- Data backup strategy
- Data recovery strategy
For each of these tasks, you will need an automated tool. You are unlikely to find a single data management tool that you like and that effectively performs all of the processes that you will need to implement. Look for a blend of separate tools that you can organize into your own data management suite.
You can read more about these tools in the following sections.
SolarWinds Access Rights Manager will give you a report of your current user community and the permissions granted to each person. This is your starting point for the user management aspect of the data governance strategy. Once you have defined clear user groups, assigned individual accounts to groups, and set the permissions for each, you can implement that new policy through the Access Rights Manager.
The tool monitors Active Directory, Microsoft Exchange, Windows File Share, and SharePoint. The reporting module includes auditing for GDPR, HIPAA, and PCI DSS compliance. The software installs on Windows Server and you can get it on a 30-day free trial.
Smartsheet is a team project library application. The tool includes template forms that are specifically written for data governance. You set a project mission and then follow through many layers of forms, assigning tasks with deadlines to different team members or groups. The environment also includes planning utilities, such as critical path analysis and timeline estimates.
Smartsheet isn’t just a data governance planning tool. You can use it to manage any project that your company takes on once the data governance project has been settled. It can even be used as a Help Desk management system. You can get a 30-day free trial of Smartsheet that will give you the opportunity to see the different business functions that it could support.
When you implement your data governance policy, your first task will be to locate all of the data on your system. If you hold personally-identifiable information, you will find SENF useful.
The program performs a system search for data format patterns, such as credit card numbers and social security numbers. The results report gives you the locations of these data instances.
“SENF” stands for “Sensitive Number Finder.” It is a free tool that was developed by the University of Texas at Austin’s Information Security Office – they still maintain and develop the program. SENF runs on Windows, Linux, Mac OS, and Unix. The software is available from a GitHub repository.
The SolarWinds MSP Backup service combines backup management software and the storage space – the company operates data centers around the globe. Cloud storage is the best solution for backup – keeping copies on your own site risks both the original and backup being destroyed by environmental events.
Data transfers are made quicker through compression. Data is protected by AES encryption, both in transit and in the cloud storage. Only your account has access to the decryption key, so even the data center staff is unable to read your records. The dashboard enables you to command data recovery to your site or to a different site.
Available for installation on site or as a Cloud service, this system manages mobile devices with Windows, macOS, iOS, Android, Windows Phone, and BlackBerry and also wearable devices and IoT equipment. You can configure devices en masse by device type or user function and create secure areas for corporate use on user-owned devices.
Different plans include different levels of functions. You can include mobile application management and mobile content management, which will protect the documents and data accessed from mobile devices. Other options include secure email, messaging, and collaboration software. Blackberry UEM can be assessed with a free trial.
Gathering event messages and storing them in log files is an essential task for data governance. You need to track all actions performed on data and store records of those events. You also need to ensure that intruders can’t cover their tracks by modifying the records in log files. The SolarWinds SecurityEvent Manager performs all of these tasks.
The dashboard for the tool shows all log messages live as they travel to files. The data viewer includes analysis utilities. The tool includes pre-written report formats for auditing compliance with data protection standards. The Security Event Manager runs on Windows Server, but it is able to collect log messages arising from any operating system. You can try it on a 30-day free trial.
This open source, free intrusion prevention system is owned by cybersecurity company, Trend Micro. The tool checks on details in log files and automatically takes action to block user accounts and transmission source IP addresses.
The connection between a detected event and a remediation action is called a “policy.” It is possible to write these rules yourself. However, the active user community for the tool is a good source for pre-written policies. The community provides tips and tricks for OSSEC and you can buy a support package as an addition from Trend Micro.
OSSEC can be downloaded from GitHub and it runs on Unix, Linux, Mac OS, and Windows. There is no front end for this tool, but you can interface it with Kibana, Splunk, or Graylog.
Symantec Data Loss Prevention scans your system for sensitive data on installation. The software is driven by policies, which dictate the actions that the service will take on detection of unacceptable actions. These actions are all logged, which makes the auditing capabilities of the tool good for HIPAA, GDPR, and PCI DSS standards compliance.
Sensitive documents are encrypted and access to them is controlled by authentication. Copying, movement, and emailing of these files can be banned and you can fingerprint every copy when files are distributed, making it easy to detect the source of leaks. The system is also able, on command, to destroy files completely, leaving no traces on the device. The tool includes user tracking, which is useful if you need to investigate an account that has triggered an alert through suspicious activity.
ADAudit Plus is a useful tool for implementing SOX, HIPAA, PCI DSS, FISMA, GDPR, and GLBA compliance. The “AD” in the name of the tool explains that this security system focuses on Active Directory. The tool monitors your AD implementation, logging any access to the permission database and backing up changes so that they can be reversed.
The dashboard for the tool displays alerts every time permissions are changed or user records are added or deleted. ADAudit Plus logs can be archived and stored for three years, making them available to the tool’s reporting and auditing utility.
This tool installs on Windows and is available in both free and paid editions. You can get a 30-day free trial of the Professional edition.