Is your data running wild?
Sitting on the bus this morning in traffic trying to get onto the Story Bridge, I noticed a flock of roughly 20 crows flying around the roof of St Vincent’s Hospital. They seemed busy, coordinated and working for a purpose. I wondered what they were doing and who controls them? Does CASA have jurisdiction over a murder of crows? Does the ADF? Maybe this was a bit too metaphysical for a Wednesday morning commute.
If we think of the crows and their cavalier attitude there are certain similarities to the way that employees deal with data in the wild. Once data is downloaded from a production database into a spreadsheet or report, who has jurisdiction over it? Does the data lose its meaning and intention because it has been moved into a different format? What if it contains PII? How does the organisation control this data once it is “in the wild”?
Data Governance is a confusing topic. Most people who have some ideas about this will relate it to policy and procedures and committees and websites and spreadsheets and I think I’m falling asleep typing this because it is so boring. It is important, but hard to get excited about. There is a real and growing need for good data governance.
In a recent data governance workshop with some senior people at a large client with close to 5,000 employees the discussion centred on some of these questions. The participants included data custodians – people with accountability for the security of a data set. One of the data custodians said: “we have no control over the data once it is taken out of the system”. The heckles on the back of several consultants’ necks started to raise. What do you say to a senior executive in this situation? “You are responsible”, “It is in the job description”, “what happens if that data gets into the wrong hands” etc, etc, etc. This person was responsible for employee data. Some of this is most likely a little sensitive.
According to the DAMA DMBOK2, one of the primary activities of data governance is the development of a data strategy and one of the primary tasks of the data strategy is to identify what data is important to the organisation. Important data is usually defined in the data architecture and is seen as an asset to the organisation. It should be treated like any other of the organisations assets and protected. You don’t leave the keys in the ignition of a work car when you go into a bakery on the high street to get your morning tea. Similarly, you don’t want your customer or employee data being sold on the dark web for $20 a record. Roles and responsibilities, policies and procedures, issues management are all vital to ensure good data governance. When treating your data as an enterprise asset these activities become obvious.
We live in an increasingly regulated world. The data world is no exception. With the recent $5B fine slapped on facebook, this is becoming more apparent and of increasing concern. Risk managers globally need to understand what data privacy regulations are applicable to their organisation and how to comply.
In financial services, APRA’s CPS 234 came into effect on 1 July. The key requirements of this Prudential Standard are that an APRA-regulated entity must:
- clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals
- maintain an information security capability commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity
- implement controls to protect its information assets commensurate with the criticality and sensitivity of those information assets, and undertake systematic testing and assurance regarding the effectiveness of those controls
- notify APRA of material information security incidents.
Data governance would appear to be an ingredient to ensuring compliance. Defining roles and responsibilities for managing data assets, maintaining information security capability, implement controls. So where to start?
What do we need to protect? Discovery of what data assets that you have, where they are – at rest and in motion – and how they are secured. This is a non-trivial exercise and though obvious, often overlooked. Once the data is understood, it needs to be classified and protected according to that classification. This applies to all your data, whether it is in the “system” or in a spreadsheet, a report or an email that an employee is sending to an external party. This is where it gets interesting, data “in the wild”. Abstracted from source systems, derived then aggregated from multiple sources and most importantly, mobile.
Data governance can help. If organisational authority is given to data governance, organisations can:
- Define the data that is critical and sensitive
- Set policy and procedure as to how this data must be managed
- Carry out a discovery exercise to find where this data is residing. This step will need to be carried out on a regular basis
- Clearly classify and risk rate the data found
- Set up “border protection” to ensure that the data does not leave the organisation without the right authorisations.
Under CPS 234 further complications are added to the mix through “related parties and third parties” because organisations must ensure that the controls they have in place over internally stored data are extended to their data stored with them. If it is difficult to ensure that your own employees are following data governance policy and procedure, adding related and third parties provides us with a new dimension of perplexity.
Unlike the crows cavorting around the roof of St Vincent’s, we know who controls the data in your organisation. You do. Everyone in the organisation has the responsibility for their data and given good policy and relevant training, your organisation can ensure that they aren’t in the papers as the next big data breach.
We love talking about data. If you need help with responding to regulatory changes or just don’t know where to start drop us a line and we can help point you in the right direction.
Author: JOHN STEVENSON
Former Brisbane Practice Manager of Robinson Ryan, John’s mission is to bring simple, elegant solutions to data management implementation.
