Data Governance is Hard: Know What’s Most ImportantTop 5 Findings from Secureworks’ Proactive Incident Response Engagements, Part 3 By: Donald Allison
The Secureworks ® Incident Response proactive consulting practice develops incident response (IR) plans, performs IR plan gap analyses, and facilitates tabletop exercises featuring various security risks to more than 4,000 customers. Over time we have analyzed findings from each engagement, and the patterns that emerge show consistent challenges to organizational security posture and response capabilities.
This 5-part blog series details the top 5 challenges we see when we are called in to do a proactive incident response engagement. As these are systemic, widespread issues, we want to raise awareness and share our guidance to help your organization get ahead of them.
The first blog in this series looked at what should be considered the basic foundation of any security practice: the definition of “incident.” Click here to read part 1.
The second in this series discussed another relatively simple item: the contact list. Click here to read part 2.
This third in the series explores what few organizations excel at: data governance.
Data governance is hard. The first two blogs discussed relatively easy goals to achieve. This one is not. But it does have to be done. After all, if you do not know what is important, how do you know what to protect?
To excel at data governance, you must first know the value of the data and systems that support that data. If you have business continuity/disaster recovery plans, you can start there. Those plans should have addressed the needs for every business segment to get back to doing business after an interruption, and the order of those processes provides great clues as to what is important.
Here are a few other items to consider:
- What data and systems are impacted by regulatory and compliance requirements?
- What data and systems are impacted by contractual requirements?
- What data and systems are impacted by legal requirements?
- What data and systems are impacted privacy and other protected items not directly tied to regulatory and compliance?
- What data and systems contain intellectual property?
- What data and systems contain financial information?
- What else is of value to us and where does it exist in the environment?
- What are the retention periods for each type of data?
- Who are the points of contact for each data/system of value?
- Who has access to each type of data and systems of value?
- Are the processes defined on how to handle each type of data and system of value?
- How do we audit our environment to see where we are in our data governance efforts?
There are, of course, more items involved, and data governance is an ongoing effort in all organizations. The key takeaway is that you must know what is important in order to make the right decisions to protect it.
Technology will also provide some help in data governance; however, processes and procedures will make a large difference. Your workforce is the real front line of data governance. They must have the resources needed, including training on processes and procedures, to make governance work.
Jurisdictional requirements come into play if your organization has more than one location and as remote working has become a necessity at many organizations where employees are not in the same location. The changes in requirements due to differing geographies should be considered.
Together these steps provide a glimpse of the efforts ahead. Keep in mind that compliance is not security and security is not compliance. When it comes to data governance, both must be brought to bear to strengthen your environment.
This one may take a while.