Getting Started with Information Governance: The Security and Privacy Approach
In previous columns, I’ve examined a business glossary and a focus on management of the data lifecycle as two potential starting points for an information governance initiative. This month, we’ll take a look at another approach that is chosen by many organizations—putting data privacy and security policies into place to protect enterprise information.
It is hardly surprising that data privacy and security concerns rise to the top of the list for organizations in a number of industries. The results of poor data protection are well known far beyond the IT community. Aberdeen Group has found that the average cost of a security incident from the era of big data is USD40M.1 Data breaches lead to the sort of headlines no CEO wants to see, and have long-lasting and far-reaching impacts on both businesses and consumers.
Reducing risk: A top priority
Reducing these risks is understandably a high priority, not only for individual organizations but also for entire industries and for governments around the world (for more details, read this IBM paper on business-driven data privacy policies). In fact, more than 50 international laws regulate privacy.2 Some of the most important ones put into place to stem the tide of data security and privacy breaches include:
- Sarbanes-Oxley Act (SOX)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI-DSS)
- Federal Information Security Management Act (FISMA)
- EU Data Privacy Directive
Failure to meet standards and regulations for data protection can result in damage to a company’s reputation and stiff financial penalties.
What’s needed for an organization to start down the information governance path with a focus on securing and protecting information? Three key areas need to be addressed:
- Understanding where data resides, what domains of information exist, and how it is related across the enterprise, plus defining policies and metrics for securing and protecting that data.
- Securing data across the enterprise—including both structured and unstructured information, in non-production as well as production environments—and protecting the data from unauthorized use.
- Monitoring access to information on an ongoing basis, with audits to assess vulnerabilities and validate compliance, and reporting to both internal and external auditors.
While there are legitimate concerns about the protection of data on mobile devices and in the cloud, structured databases are still the top targets for security breaches. So it makes sense to start your data protection initiative with a focus on IBM® DB2® and other enterprise databases, since these are typically loaded with high-value data.
Day-to-day risks beyond the headlines
Not every data breach makes headlines. In fact, breaches that are less visible but occur more frequently often pose serious risks, and are common in organizations across all industries. Just consider these two examples:
- My colleague recently visited a regional bank to work with a team that was testing a new system. While chatting at the desk of one of the team members, my colleague glanced at the tester’s computer screen and noticed the name, address, phone number, Social Security number, and bank account balance of a well-known celebrity. Asked about the source of the data, the tester replied, “It’s clean. I just cloned a copy of production this morning.” Further discussion revealed that the data in question was in use not only within the QA group at the bank, but also at a third-party contractor used for QA and testing.
- A Caribbean bank’s DBA loved the beach. In fact, he found it especially attractive during the workday. How did he manage that? He found that by changing the database logs, he could enjoy his time and hide from his employer the fact that he was at the beach rather than at work. Without best practices and policies around “watching the watchers,” the bank itself was the victim of this crime, as it suffered loss of productivity over an extended period of time.
These scenarios illustrate a point made by Forrester Research that 75 percent of data breaches come from inside the company.3 It’s important, then, that your own approach to data security and privacy include processes and procedures to protect against the risks of both intentional and accidental breaches from within.
Protecting big data to tap into big opportunities
The era of big data presents great opportunities for deepening customer relationships, optimizing operations, and identifying new revenue opportunities. But before you take advantage of the hidden treasure in the new big data sources, it’s important to determine how you will secure the data. Most existing security and compliance solutions will not scale adequately.
According to the IBM X-Force 2012 Mid-Year Trend and Risk Report:
“…a more holistic approach to the entire ecosystem is required. Users should become more aware of how visible their personal data is online, more aware of who has access to it, and more aware of how it can be used against them. This affects not only their social networking, but also their choices of mobile application selection and usage. As an increasing trend, mobile applications are requiring a significant amount of permissions that dilute the ability of users to discern potentially malicious intent.”
How can you start to take control and protect your data? IBM InfoSphere® Optim™ de-identifies sensitive data across both production and non-production environments to comply with data privacy regulations and avoid data breaches. IBM InfoSphere Guardium® helps organizations address requirements for the three key areas identified earlier in this article: understanding and definition; security and protection; and monitoring and auditing. InfoSphere Guardium helps to map sensitive assets inside enterprise databases. It verifies secure installation, provides change auditing and activity monitoring, and reports on auditing and compliance, scaling to secure and protect both traditional and big data.
If securing your data and protecting it from unauthorized access are top concerns for your organization, addressing them may be a perfect way to start on your path to information governance. If you’re already addressing some other governance issues such as creating a common glossary of business terms or managing your data lifecycle, then data security and protection may be appropriate follow-on steps.
There is no single approach to information governance that’s perfect for every organization at each point in time. But you’ll almost certainly benefit from choosing your own best approach and getting started right away.
How are you dealing with information governance in your organization? What challenges have you faced, and what’s working well? Please share your thoughts in the comments!
1 Aberdeen Group, “The Big Data Imperative: Why Information Governance Must Be Addressed Now,” December 2012.
3 Industrial Safety and Security Source (ISS Source)