• No results found

<Insert Picture Here> The Elements of a Data Governance Program: People, Practices, Policies and Technology

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "<Insert Picture Here> The Elements of a Data Governance Program: People, Practices, Policies and Technology"

Copied!
21
0
0

Loading.... (view fulltext now)

Download now ( 21 Page )

Full text

(1)

<Insert Picture Here>

The Elements of a Data Governance Program:

People, Practices, Policies and Technology

Joseph Alhadeff,

(2)

The Roadmap…

The next frontier

The Issues/Lessons of TAS

3

The “accountable” organization/Governance,

Canadian Style

Focus on Technology in support of Compliance

(3)

Global Data Flows/Big Data

• The Digital Economy and Information Society have enabled business to distribute functions across geographies (payment processing, credit verification, customer service, support, data centers, follow-the-sun service models)

• New services are driving even more increased information flows and customers may enter the system across multiple

channels/devices, from many jurisdictions, and in multiple roles

• Consumers as content creators, application developers and publishers

• Big Data – Big Brother OR “something really cool and marvelous that happens when you get enough data together” (Jeff Jonas)

• The new continuum – Raw data, context, correlation, analytics , actionable information – learning and responsible information management over the data lifecycle

(4)

Continuum: Individual, System, and

Ecosystem

(5)

Privacy question across the

generations

2001 – HAL:

Where is my information?

Who controls it?

Who has access?

How is being used?

Who is it being shared

with?

Who is looking out for my

interests?

2012 – LIZ* :

Do you have an

accountable privacy

program

Organizational policies,

practices, technology

components

Ecosystem?

Measurement

Continuous improvement

(6)

The Story…

Addressing today's security and privacy challenges can be summarized as getting the right data to the right people at the right time. Security and privacy challenges can also be

summarized as preventing unauthorized access throughout the data lifecycle. This implies simplifying access for the right people while making access by the wrong people cumbersome,

expensive and easily detected. Success in this endeavor

depends on a combination of people, processes and technology. Technology is designed to facilitate authorized access in a

repeatable and auditable fashion, and the systems themselves can be designed to promote data governance in a way that enhances accountability for the organizations that build and manage them.

• Sun Technical White Paper, ‘Engineering for Data Protection and Accountability’, May 2007,

(7)

Stop looking for the Silver Bullet….

Policies Procedures Contracts Compliance Technology-Systems Architecture Privacy by Design People Accountability and Governance

Thomas Richard, Data Protection in the European Union, Promising Themes for Reform, European Privacy and data Protection Commissioners’ Conference, Edinburgh, 24 April 2009

(8)

Trusted Architecture for Securely

Shared Services

FP7 Project

The collaborative and

interactive development

of technology, law and

policy in support of

privacy, security and

trust.

Technology assures the

first hop, law and policy

fill ecosystem and value

chain gaps

(9)

Trusted Architecture for Securely

Shared Services

FP7 Project

The collaborative and

interactive development

of technology, law and

policy in support of

privacy, security and

trust.

Technology assures the

first hop, law and policy

fill ecosystem and value

chain gaps

TAS3 Contractual and

(10)

Benefits of a Coordinated Approach

• Data Hubs, HR, Health Care – all facets are relying on

information from multiple sources

• Better understand controls, policies, reliability and

requirements related to shared information

• Clarity of use and security models

• Source and integrity issues

• Developing trust to enable sharing

Technology

Legal

Requirements

Policies Sticky Policies

(11)

Risk Management: Accountable

Privacy, Policy and Legal processes

• User interface • Effective preference/profile management as opposed to numbing micromanagement • Legal • Chain of accountability • Individual, system and

ecosystem • T’s and C’s

• Uses – privacy limits

• Security – levels, technology…

• Jurisdiction – Applicable law

• Business Need

• “Why” is an Essential Driver

• “How” is the way you comply

• Organizational Competence

• Program organization, oversight and buy in

• Staffing/resources

• Practices & Policies

• Credible response

• Evaluation and measurement

• Training, testing and oversight

(12)

New Governance Paradigm

• Responsible Information Management • Stewardship of information • Transparency • Controls • Proof/Audit/Testing • Information Lifecycle • Training • Learning Organization • Oversight • Compliance • Incident management • Disaster recovery

(13)

Privacy by Design Not Always Apparent

Understand the role of

system and ecosystem

Privacy also has to be

designed into processes

and inculcated into

people

“Privacy is a team sport”

Privacy as enabler not

barrier

Every compliance

requirement is an

opportunity

(14)

Compliance As Opportunity (PIA…)

Privacy and security requirements often make you

generate system information, review and test controls

and develop methods of oversight and reporting…

• How can you use the new information generated

• How can you better understand your system through analyzing controls and how they work

• How much will this improve security

• How can this help you understand your overhead and efficiency to make you more effective

• Make the reports useful to you as well as oversight function

(15)

The Opportunity: 1+1= 3 …

The new math is not a zero sum game

• Security and Privacy need to be considered together as mutually reinforcing and can be optimized together.

• Security and privacy

regulation is overlapping in jurisdiction and impact

• Security and privacy

professionals don’t always know how to interact or speak the same language

• New compliance solution for each problem makes no sense – 70-80% common solution

(16)

Compliance Methodology

Outline the rule(s)

Identify and assemble the team

Identify / classify the information

Map the information and flows

Broad understanding of the technology possibilities

Develop polices, practices and procedures

Identify needed controls and possible control points

Optimize the processes

(17)

Technology in support of compliance;

IDM – Canada, Leading by example

• Pan Canadian Strategy for IDM and Authentication

• BC “claims based” IDM

• Leveraging identity

• Getting to critical mass

• SecureKey/FS orgs

• Federating Credentials

• eventually Identity

• What level of trust in the credential, required for the service…

• The New Chokhani/Ford Straw man ??

• Authenticating the individual to the system and transaction

(18)

Allocating rights and responsibilities

beyond authentication

• Governance beyond the “first hop”

• Once authenticated, how do you associate rights and priviledges

• Who controls those decisions

• Are they Application specific

• How do you accomplish this across domains

• How do you build in

challenges and safeguards?

• Oversight, audit and investigatory needs???

(19)

Oracle Solution Flavours

• Identity Federation

• Transient Federation

• Account mapping/linking

• Attribute Federation

• Adaptive Access Manager

• Risk based access control

• multi factor authentication

• proactive real-time fraud prevention

Entitlements server

• Apps level security management

• Policy information/Decision Points

Data Masking

(20)
(21)

References

Download now ( PDF - 21 Page - 1.33 MB )

Related documents

Panel: The InterTrust Commerce Architecture

The InterRights Point software provides Protected Processing Environment™ technology for manipulating information in DigiBox containers and for securely implementing business

FISS Full In Service Support

• Priority access to Airbus DS exchange pool to minimise any potential materials shortage (AOG services) MATERIAL MAnAgEMEnT InITIAL SpARES pRovISIonIng/ SpARES

Effects of Distillers Dried Grains with Solubles (DDGS) and paylean Supplementation on Growth Performance of Growing-finishing Pigs

Effects of Distillers Dried Grains with Solubles (DDGS) and Effects of Distillers Dried Grains with Solubles (DDGS) and paylean&#34; Supplementation on Growth Performance of

Software Development Processes

Update development policies including the Technology Solutions Life Cycle (TSLC) governance and compliance policy to include all software development phases in the monthly

Name Calling On The Internet: The Problems Faced By Victims Of Defamatory Content In Cyberspace

See, Zeran, 129 F.3d, at 333 (noting that if notice could be used to trigger litigation, the ISPs would respond by removing the speech on the Internet, even if the speech is

How To Protect Your Data From Theft

Data Protection Program Compliance Monitoring and Reporting Risk, Threat, &amp; Vulnerability Assessments Data Protection Strategy Technology Specifications People &amp;

Current State Review of Outpatient Rehabilitation Services in Ontario 2

In an attempt to better understand the system the Ontario Society of Occupational Therapists, the Ontario Physiotherapy Association and the Ontario Orthopaedic Expert Panel

Service Level Agreement Based Distributed Resource Allocation for Streaming Hosting Systems

If all available re- sources are allocated to the two services and one service experiences high request load, the host- ing service first downgrades requests for high- quality