• No results found

Data Governance. Whitepaper: Implementing a Strategic Plan

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Data Governance. Whitepaper: Implementing a Strategic Plan"

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

Data Governance

Whitepaper: Implementing a Strategic Plan

(2)

SPHERE Technology Solutions | 50 Harrison Street, Hoboken, NJ 07030 | 201-659-6204 1

Table of Contents

Executive Summary ...2 Governance Policy ...3 Assessment ...4 The Data ...4 The People ...5 Strategy Creation ...6 Implementation ...7 Summary ...9

(3)

SPHERE Technology Solutions | 50 Harrison Street, Hoboken, NJ 07030 | 201-659-6204 2

Executive Summary

Over the years, many organizations have turned a blind eye to the massive amounts of unstructured data that resides within their infrastructure, unless it causes an operational issue or delays in service delivery. But, more recently, organizations are being asked to understand and peel back the onion on what is actually going on in their environments. While these preliminary investigations have gone underway, many are discovering the critical issues they are facing in terms of compliance, security and overall lack of oversight of the vast and vastly growing data.

Initially, many organizations are asked to do this investigation in response to audit questions. Who owns what, what users have access to what, how data is being used, where it resides, etc. are answers firms must provide to their internal and external auditors. Most organizations have difficulty answering the simplest of these questions.

Not surprisingly, there is an increased need to have a handle on where information exists, and how it is accessed throughout an organization. The threat from both outside and inside sources is only increasing and unfortunately, not one industry is more vulnerable than any other. Financial institutions, pharmaceutical companies and others face increased scrutiny due to the alphabet soup of regulations that govern them.

Without a well-defined and well-executed governance plan, responding to audits, ensuring data is secure and the overall management of information is causing aggravation, and in many cases elevated fines, for too many organizations.

The recent events that have struck major organizations include access to PII, hacks into secure systems and attempts to interrupt trading and financial systems. These will only increase in number and severity. These are incredibly important business drivers, in addition to the familiar DLP initiatives that have become of the utmost importance for many organizations. In order to mitigate any these potential issues, any program needs to include a robust and proactive governance portion. Otherwise, the strategy is like closing the proverbial barn door after your data has escaped. Keeping data contained to the appropriate users will lessen the opportunity for wholesale data contamination and leakage.

(4)

SPHERE Technology Solutions | 50 Harrison Street, Hoboken, NJ 07030 | 201-659-6204 3

Governance Policy

Creating a robust governance strategy can seem like an incredibly overwhelming activity. Instead of starting with complexity, focus instead on taking a more simplistic approach and building on top of that. The first stage of creating an effective policy is understanding that there are two basic building blocks that need to be clearly understood, independent of the demographics of your organization:

There are many types of “data” that exist as assets of an organization. Unstructured data, as opposed to semi-structured and semi-structured, is typically most out of control, whether it’s email in a user’s mailbox, alerts that are sent to an Exchange public folder, PowerPoint presentations on a SharePoint site and, of course all the data stored in the most commonly used file shares. Companies cannot accurately describe what they have or how much space it consumes.

Once we start taking our deep dive into the data, we focus on the second building block around “people”. We always find that there is a surprising amount of data that is easily accessible to people who shouldn’t have access to it. It is all too common to easily find the CEO’s helicopter schedule and learn that it is open to the entire company or compensation data that thousands of people can easily read and sometimes even modify! And now, with Enterprise Search solutions coming out in full force, employees can find information without even having to know where to explicitly look for it. What if a disgruntled employee or an external vendor used this information for an ill purpose?

Thinking about governance in terms of Data and People will allow you to create policies that are unique to your organization, but also ensure that you are focusing on the right areas of governance first. Still, there is no cookie cutter approach. If it’s going to work, it has to be tailored around how your business operates.

The remainder of this document focuses on how we take the basic concepts of Data and People and use them as stepping stones for building a robust governance program.

(5)

SPHERE Technology Solutions | 50 Harrison Street, Hoboken, NJ 07030 | 201-659-6204 4

Assessment

The first, and almost always overlooked, stage for creating an effective Governance program, is knowing what you have on hand. Having a clear bi-directional view of your infrastructure, understanding the Data and the People and how they relate, will allow us to create policies and procedures that make sense for your unique organization.

The Data

Data is the crux of an organization, probably one of the most critical assets your company owns. And, this is not new; it’s always been the case. Over time, these critical assets have grown in size and number, and understanding all the metrics and statistics around your data is a pertinent component of the Assessment we undertake in order to move forward with the appropriate strategy.

Being able to accurately answer these questions is vital for the creation of a substantive policy. Simply being able to answer the above questions will put your organization ahead of your competitors, as most organizations never had the time or energy to truly understand all the metrics related to the data assets that they own.

Critical

Questions

To

Answer

Where does the data reside? How is the data distributed across servers or even regions? Is there a more efficient place to store it?

Is the data stale or active? Is it being accessed or modified? Is it a risk to maintain stale data longer than required by the regulations?

How much of it can be archived or is it needed in real-time? What are the effects on business processes or workflows when the data is moved?

How is it being used? Is it basic collaboration or a part of a complex workflow? Is it being used for non-business related purposes?

Should it be moved to an alternative repository? Is a certain repository required to be phased out i.e. Exchange public folders?

Are the appropriate retention policies applied? What is being archived and does this meet regulatory requirements? Are policies configured in the most effective manner?

(6)

SPHERE Technology Solutions | 50 Harrison Street, Hoboken, NJ 07030 | 201-659-6204 5

The People

Understanding the “People” is the second half of assessing your infrastructure in an effort to create an effective Governance strategy. This area is usually more dynamic and ever-changing, but needs to be truly understood, from many different angles. Focusing your assessment now on understanding the “Who” as opposed to the “What” will close the loop on a true and full assessment and deliver all the required information to move forward with creating an appropriate strategy.

Having a clear and concise understanding of how access is provided and utilized, who owns the data and what end-users would be affected by any changes, is of utmost importance. Coupling all this information we’ve learned around the “People” with what we’ve learned about the “Data”, gives you the full 360 degree view of your IT landscape.

Now, we’re ready to start creating the strategy.

Critical

Questions

to Answer

Who has access to what? How was that access provided? Is it a unique permission or inherited? What type of access? Can users change the access?

Is access open to all users? Is access open to an excessive number of users? Is the “Everyone” group or other "Default" permissions used?

Was the last access warranted? Is the access to data a common activity for a specific user or is this behavior abnormal?

Who owns the data? Is it the person who uses it the most or the manager of the people that use the data? Who is the true authoritive source for approvals?

Are we violating regulations such as SOX, PCI DSS, HIPAA, FISMA, FERC/NERC, etc? What regulations for data access are we subject to? What about proactive programs like DLP?

Do I have the controls in place to determine policy violations? Are our policies only reactive? How can I prevent policy violations?

(7)

SPHERE Technology Solutions | 50 Harrison Street, Hoboken, NJ 07030 | 201-659-6204 6

Strategy Creation

Now that we understand the landscape and where our risks are, we can start formulating a plan on remediating the infrastructure. When developing the strategy, it’s important to focus on more than just outlining the detailed tasks. Scope and brevity, use of existing tools vs. evaluating new tools, who will service what part of the project, etc. are the areas that need to be considered, as well.

Scope is important when deciding on the best strategy, knowing that you can’t have it all, that is not realistic. So, you need to identify what are your “have to haves” and what are your “nice to haves”. While we want to include all the bits that allow for enhanced governance, it is equally important that your requirements should include all necessary components to maintain business continuity, service to users with least amount of disturbance, while still obtaining the governance goals you are trying to achieve.

Budgeting is critical in the process and can help isolate the “have to haves” from the “nice to haves”. More and more, technology leaders are being required to make the business case for expenditures. Given the high cost of a data breach, not just financially, but to a company’s reputation as well, the cost can be easily justified. Add in storage savings and costs of audit failures, justifying the spending will be much more realistic.

Next, create realistic timelines. This is not a short-term fix. It is a solution to a large and growing problem. Schedule appropriately, keeping in mind not just the time requirements of resources, but also how long it will take your end users to adopt any of the changes we are implementing. Slow and steady wins the race!

Prove the strategy with a Proof of Concept. This can be a short-term project, on a subset of data, but will represent the organization as a whole. Take one area that is identified as a high risk, such as your HR’s group shares, and assess the data, identify the strategy to resolve the issues found and use the remediation options as outlined in the next section, to prove the plan as a justifiable course of action.

Using a small, defined sample is an effective way of quickly identifying the needs of an organization. Recall that it is important to know what you have, where you have it and who is accessing the data as the first stepping stone in the creation of a strong strategy. Once you know the answers to those questions, you can identify future needs, how data is to be handled and who has responsibility for the ongoing maintenance of the data.

Granularity

Complexity

Requirements

Progressiveness

Flexibility

(8)

SPHERE Technology Solutions | 50 Harrison Street, Hoboken, NJ 07030 | 201-659-6204 7

Implementation

The end-goal is to have a clean and streamlined infrastructure and make sure your data repository is not an endless abyss of information or a black hole. To achieve this you need to remediate the existing data and access. Afterwards, you’ll need all the right controls in place because data is only going to continue to grow, and you don’t want to exacerbate the problem. All the standards you’ve implemented on data and permissions already in the system need to be enforced for new data and access when it is provisioned. That being said, what do you do with the “dirty” data already there? It needs to be cleaned up. You can’t have two disjoint processes, one for new data and another for old.

Remediate the Current Infrastructure

The following is a process used for remediating existing data, independent of the repository. Systems and tools may differ from organization to organization, but the general process remains the same.

Step 1: Systematically categorize data as “Potentially Stale” and “Potentially Active”. There will always be an

“Unknown” as well, for data that requires further investigation

You can look at modification and access timestamps or whether there are any valid permissions. It’s important to understand that you always will have an “Unknown”. It’s impossible to simply draw a line in the sand, because with any systematic approach you can be wrong, and we must leave room for an “Unknown”. The goal is to make smart decisions with the metrics you use, but to keep in mind that there will be times when something needs to be looked at more closely.

Potentially Stale “Unknown” Stale Active Potentially Active Stage 1 Deletion Stage 2 Deletion Stage 3 Deletion

Usage & Repository Identification

Ownership and Permissions Validation

(9)

SPHERE Technology Solutions | 50 Harrison Street, Hoboken, NJ 07030 | 201-659-6204 8

Step 2: Remove the “Unknown” piece of the pie. Send a survey to likely owners of “Unknown” data and utilize

their responses to categorize this data as either “Stale” or “Active”.

We can’t deny the fact that there will always be an ”Unknown” but the goal is to make that “Unknown” as small as possible. We need some input on what this is and what to do with it. Surveys are the simplest way to accomplish this. Identify who we think is the individual who most likely has some knowledge of the data and ask them questions. Is it needed, who needs access, can we delete, etc. are answers that will get rid of the “Unknown”, in the most accurate manner.

Step 3: For all “Stale” data, implement a staged deletion and/or archival. Multiple stages allow for additional

fail-safes and minimize potential business disruption.

We want to get rid of the stale data, and for the obvious reasons. But, you never just want to hit the Delete key, because we’re talking about a lot of data. So, having stages of deletions helps make it seem like the data is gone, but it isn’t just yet. First, we can rename a folder or file by adding the words “To be Deleted” to the name. This will warn users that it’s going to be deleted and call their support staff to advise on the need to keep it. For all data where there were no support calls or reversal requests, we may then remove permissions, then a week later move it, then maybe finally hit the Delete key.

Every organization is different in the number of stages and the amount of time in between each stage. The important thing is to have these stages, because you need to avoid any form of business disruption as much as possible. Also, there needs to be a quick and easy method for chain of communication. For example, Help Desk needs to be able to reverse a change quickly, or even simply know where to look for all the stages and affected repositories.

Step 4: All “Active” data is further analyzed to determine how the data is being used and whether it belongs in

the current repository.

Now, we’re left with just what’s needed to be maintained. It’s still a hodgepodge of data, but probably a third of what was originally sitting there. We can start understanding how the data is used and if there is a more appropriate home for the information to live. We can move data around based on what teams share what data and where. We can consolidate. We can reorganize now and create a repository structure that aligns with our business structure. This is also where you should start focusing on classification and taxonomy. Proactively identify what data is sensitive, confidential, etc.

Step 5: All “Active” data is assigned an owner and this owner is required to validate the permissions across the

data they own and continue to recertify.

From a governance perspective, you must identify ownership across this active data, have a clear and concise way of cataloguing this information and making the owners validate who should or shouldn’t have access. Understanding ownership and access can also assist in classification and taxonomy. Focus on Legal and HR owners, and perhaps add metadata to information they are currently accessing, changing and adding.

Step 6: Any “Active” data that is living in an inappropriate repository should be migrated.

(10)

SPHERE Technology Solutions | 50 Harrison Street, Hoboken, NJ 07030 | 201-659-6204 9

Summary

Not all companies have the same needs for compliance, but all companies have a need for security, therefore a need for a governance policy. We are in a world of ever increasing data creation, where it is, who has access and what is being done with it needs to be understood. Whether for compliance or security or both, companies must have a plan in place to deal with their information. Data is a critical asset and needs to be protected.

These projects can be daunting, especially for companies that have never taken the steps as presented here. But, it is imperative that companies, large and small, start now, before the issue gets completely out of control. There is no such thing as a perfectly governed environment. But, having placed the appropriate policies in place and adhering to them goes a long way to mitigating any issues that may arise through a data breach or loss. Most importantly, there needs to be processes in place for ensuring that all the remediation you’ve done does not go to waste. Make sure there are clear processes for ongoing maintenance, including entitlement reviews, access authorization workflows, infrastructure reporting, etc.

About SPHERE Technology Solutions

A specialized Systems Integrator and Services organization, SPHERE Technology Solutions (www.spheretechnologysolutions.com) is an acknowledged leader in the Data Governance, Compliance and Security field. Working with cutting edge technologies to provide concrete, business-relevant technology solutions as both project-based assignments and on-going managed services, along with strategic software sales and integration, SPHERE is the fastest growing, female-owned technology firm in New Jersey. Based in Hoboken, NJ with a global staff, SPHERE has been engaged by numerous Fortune 100 financial, pharmaceutical, transportation and manufacturing companies in the US and globally. By creating expertise in the niche field of data governance, security and compliance, SPHERE is uniquely qualified to add value to any organization.

Assess the Infrastructure

Understand Data & People

References

Download now ( PDF - 10 Page - 1.02 MB )

Related documents

Name Calling On The Internet: The Problems Faced By Victims Of Defamatory Content In Cyberspace

See, Zeran, 129 F.3d, at 333 (noting that if notice could be used to trigger litigation, the ISPs would respond by removing the speech on the Internet, even if the speech is

An Agent-based Knowledge Management Framework for Electronic Health Record Interoperability

should be the information the user needs. Therefore, personalizing information format and presentation is necessary for each user; using parameters that describe his/her own specific

PRIORITY SCHEDULING OF URBAN REHABILITATION STREETS TO MINIMIZE CONGESTION, DELAYS, AND ACCIDENTS

By comparing the multi-attribute utilities of the three attributes using the proposed priority schedule, against the average multi-attribute utilities of 10 random time-schedules

SPONSORSHIP HANDBOOK INTERNATIONAL DONOR SERVICES

In addition we also send you general information about the country and the specific SOS Children’s Village where your sponsored child lives or that you support through a

Trilobite extinctions, facies changes and the ROECE carbon isotope excursion at the Cambrian Series 2 - 3 boundary, Great Basin, western USA

Trilobite biostratigraphy indicates the 127 Pyramid Shale is equivalent to two members of the Pioche Formation in eastern Nevada: the C-Shale 128 Member and the Susan

Dispersive versus Dissipative Coupling for Frequency Synchronization in Lasers

In contrast, for the oscil- lators interacting through dissipative coupling, in the syn- chronization regime, (i) the system is monostable, (ii) the intensities are symmetric, and

See me, hear me: from teacher belief and pedagogy to classroom practice for indigenous students

This research indicates that the Case Study teachers believed there were ways to improve their access to professional learning and knowledge of programs and cultural

Miscommunication obstacles for innovation systems in Russia

According to the international experience, federal authorities can carry out six groups of functions for support of mechanisms of development of innovative