Data Governance is an important component of the General Data Protection Regulation (GDPR), and Heidi Maher's recent post discussing GDPR and information governance makes an essential point with the upcoming regulations. Maher's discussion of Article 32 of the forthcoming GDPR is needed however, the mention of information governance, and even data governance is worth noting.
The Scope of Data Governance
Gartner defines information governance as the “specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”
In January of 2017, we released a blog on 13 Reasons to Update Your Outdated Security Policy. A variety of reasons were listed as to why this is important, including organizations lacking a formal vulnerability management process, general non-compliant issues, and unmanageable environment changes. A year later, the same issues hold true for many organizations.
As a recent CIO article notes, data governance has the potential to affect businesses positively. Benefits can include:
- Collaboration across departments
- Efficient data management
- Quality Data Management
However, it seems that many companies don’t seem to value GDPR or understand its relevance. With HyTrusts' 2017 survey it is worth noting that for each question asked companies score less than 30 percent.
Answers to the HyTrust survey included:
- Unaware of the GDPR relevance to their organization (29 percent)
- Concerned about GDPR but do not have a plan in place (27 percent)
- Not concerned and do not have a plan in place (23 percent)
- Concerned and have a plan in place (21 percent)
Data Governance, as defined by the data governance institute is “the exercise of decision-making and authority for data-related matters. More specifically, Data Governance is “a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods."
Though some may tout GDPR as the new Y2K, the reality is that many organizations will need to put some process in place as data and data management will be not only a focus but also a regulation that all businesses across the globe need to be aware. Moreover, from a cost perspective, data governance seems to be beneficial, with various estimates stating that organizations who implement centralized data governance could potentially reduce compliance costs by an average of $3 million.
The Scope of GDPR and InfoSec Objectives
If you have not begun to look at objectives for GDPR, data governance, or your organization's information security program objectives, it is not too late to start.
For organizations who have a current plan in place, a review of the following may be beneficial.
- Maintenance of a Safe Network
- Maintenance of Vulnerability Management
- Prevention of Unauthorized Access
- Maintenance of the Integrity of Data Assets
- Ensuring immediate reporting of security flaws
Many organizations can use this as a starting point to understand how information is collected, stored and gathered and processed at their own place of business. Whether the initiative is to achieve GDPR compliance, PCI Compliance, or even HIPAA compliance, organizations need to start somewhere. Falling in and out of compliance is an issue and security should not be an afterthought.
A file integrity monitoring software tool can be a top asset for information security objectives and information security program. The general objective of GDPR is to give EU citizens control of their personal data. To meet this specific objective, many organizations are using a file integrity monitoring software, as this helps meet the requirement of data protection, integrity, and documentation.
File Integrity Monitoring Software
Just as the first step in Article 32 of GDPR may be to identify what data is collected and where data resides, the first step in preparing for GDPR and data governance may be to utilize a file integrity monitoring (FIM) software as part of a security strategy for the security of personal data.
Beyond the fact that you are required to have FIM in place for various compliance drivers such as PCI-DSS, HIPAA and now GDPR, your system security may be significantly weaker if you cannot readily identify and deal with IT security threats. Without a FIM solution you are vulnerable to external threats such as malware, as well as unknown, or internally made changes, which can compromise your security posture.
To learn more about CimTrak’s file integrity monitoring software, download our Definitive Guide to File Integrity Monitoring today .
January 3, 2018