alan duncan, director of data governance, unsw e: [email protected] tw: @alan_d_duncan...

Alan Duncan, Director of Data Governance, UNSW

E: [email protected] Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed

Ensuring Data Governance for effective data privacy and security

Alan D. Duncan September 2013

mailto:[email protected]

http://www.linkedin.com/in/alandduncan



A bit about me....

• Alan Duncan, Director of Data Governance, UNSW• 21 years Information Management & Business

Consulting– EDS, KPMG, CPW, Acuma, Pelion, SMS– Scottish Power, United Distillers, O2, Astra Zeneca,

Carphone Warehouse, Vodafone, Riyad Bank– Commonwealth Bank, NSW Roads & Maritime

Services, Centrelink, OATSIH, NSW Family & Community Services, CASA, AMSA, FaHCSIA, DAFF, Navy…

• Information-Management.com “Top 12 on Twitter”• Best supporting Actor, 2005 Barnet Drama Festival





…and a bit about UNSW.





Agenda

1. The capabilities required for an Enterprise approach to Data Governance

2. Regulatory requirements and compliance: privacy, security and openness

3. The relationship between Data Governance and Information Security

4. Achieving compliance in a cost effective manner





“The beginning of wisdom is the definition of terms”

PART1:

Capabilities for Enterprise Data Governance, sponsored by Socrates





Data Governance Principles

• We value – data and information as an asset and a strategic resource. Any information holdings will be appropriately protected.

• We trust – in our information and each other. Access to and use of data should promote trust and confidence.

• We share – information. Information is accessible, discoverable and transparent.

• We re-use – information from specified authoritative sources (“single source of truth”) and is collected in a consistent manner.

• We manage – information actively. Information is managed throughout its lifecycle and practices are standardised across the business.

• We govern – information. We have formally assigned information owners and stewards with clear accountability.

Data Governa

nce Principles

Information is treated as a organisational asset and is readily available to support evidence-based decision-making and informed action.





Drivers for improved IM & DG…

New information-processing technologiesCapabilities to meet unmet business needs

Market competition Agility to meet changing business demands?





…plus second-guessing future needs.





Target state for Data Governance

Current state Required state

Task/activity/function focussed Outcome oriented

Hierarchical approach Openness and collaboration

Hoarding of information Sharing of information

Silo mentality Conscious connectedness and collective benefit

Assumptions, approximations and caveats Explicit, contextualised evidence

Gatekeeping Service, communication & responsiveness

Inertia & delay Urgency, agility & time to value

De facto processes and no agreed rules of engagement

Empowerment (permission to act), supported by flexible, adaptable enabling processes

Sense of frustration Responsiveness and ability to act

Evangelism, methods, joined up collection strategies & change management





Information Management Operating Model

Enterprise Data Governance & Information Management

Information Asset Management (Process)

Metadata Management (Process)

Data Quality Management (Process)

Information Management Competency

Centre(Resources)

Information Ownership & Stewardship (Resources)

Information Management

Policies Framework (Controls)

Information Management Steering Committee

Master Data Management (Process)

IM Solutions Implementation (Process)

Records Management (Process)





Data Governance capabilities

Common Principles, Methods & Standards

Shared Data

Definitions

Visible data integrity

(traceability & lineage)

Accuracy and

completeness of data(in context)

Formal accountabil

ity & decision-making

Facilitate, communicate, support, broker, arbitrate

Information Services & Delivery Teams (e.g. IARO, FPM, Records, EDW)

Data Governance Unit

Incorrect Values

Incomplete information

Inconsistent results

Missing context

Repurposing unsuitable data

Complex calculations

Conflicting expectations

Trusted data

Proactive sharing

Insight & interpretation

Enter once, use many

Feedback loop

Inputs linked to outcomes

Service & engagement





Data Quality Management

“Get your facts first, then you can distort them as you please.”

Data Quality Management, sponsored by Mark Twain





Secondary

Support

Governance

Primary

Capability

Management

Strategy

Operations

Dimensions

Time

Expectations

Producs/Services

Measurements Funds

TechnologyLocation

Authority

Delivery

Instrument

Facilities

Development

Organisational Unit

Direction

Controls

Person

Information Model: Level 0 Domains

"When I use a word," Humpty Dumpty said in rather a scornful tone. "It means just what I choose it to mean - neither more or less.”

Information Models & Business Glossary, sponsored Lewis Carroll





Information Asset Management

Owners

AssetManagement

Tools

Governance

Admin

Experts

User Community

I nformationAsset

Steward

OwnersOwners

Information Asset Register (inventory)

System Interfaces map

“Science is organized knowledge. Wisdom is organized life.”

Information Asset Management, sponsored by Immanuel Kant





Common principles, methods & standards

“Whosoever desires constant success must change his conduct with the times.”

Continuous improvement, sponsored by Niccolo Machiavelli





Data Governance structures

“It is not only what we do, but also what we do not do, for which we are accountable.”

Formal accountability and decision-making, sponsored by Moliere





A word on Information Delivery Services…

Data Governance / Information Management Sponsoring Group

Data Governance Strategy & Roadmap





Evidence-based decision-making, sponsored by Carl Sagan

“I try not to think with my gut. If I‘m serious about understanding the world, thinking with anything besides my brain, as tempting as that might be, is likely to get me into trouble.”

TALKING POINT





“All I want is compliance with my wishes, after reasonable discussion.”

PART 2:Impact of regulatory requirements, sponsored by Winston Churchill





2. Implications of regulatory requirements

• The legislative agenda• Implications

– Privacy– Sensitivity– Openness– The Cloud?

• Bottom line

20





There’s a lot of legislation!• Freedom of Information Act 1982 (Cth)• Freedom of Information Amendment (Reform) Act 2010 (Cth)• Privacy Act 1988 (Cth)• Privacy Amendment (Private Sector) Act 2000• Privacy Amendment Act 2012 (Cth)• Privacy Amendments (Privacy Alerts) Bill 2013 (Cth)• State Records Act 1998 (NSW)• Government Information (Public Access) Act 2009 (NSW)• Privacy & Personal Information Protection Act 1998 (NSW)• Health Records & Information Privacy Act 2002 (NSW)• NSW Government Guide To Labelling Sensitive Information 2011 (NSW Financial &

Services)• Australian Government Cloud Computing Strategic Direction 2011 (AGIMO)• Australian Government Cloud Computing Policy 2013 (AGIMO)

21





Implications - Privacy

Privacy Classification Copying & storage implications

Electronic transmission implications

PERSONAL – HIGHLY SENSITIVE

Treat as PROTECTED (minimum standard)

Treat as PROTECTED (minimum standard)

PERSONAL Treat as X-IN-CONFIDENCE (min standard)

Treat as X-IN-CONFIDENCE (min standard)

PERSONAL –DIRECTION TO WAIVE



OTHER NON-PERSONAL Treat as UNRESTRICTED (minimum standard)

Treat as UNRESTRICTED (minimum standard)

22

Based on NSW State Privacy Principles (per PPIP Act 1998):

http://www.legislation.nsw.gov.au/maintop/view/inforce/act+133+1998+cd+0+N







Implications – Sensitivity/Security

Privacy Classification Copying & storage implications

Electronic transmission implications

HIGHLY PROTECTED Encrypted & physically secureControlled copy only

Encrypted

PROTECTED Encrypted & physically secure

Encrypted

X-IN-CONFIDENCE Unencrypted, physically secure

Encrypted if regular or frequent

UNRESTRICTED No specific considerations No specific considerations

23

Based on NSW State information labeling standards:

http://www.finance.nsw.gov.au/sites/default/files/backup_migrate/manual/Labelling%20Sensitive%20Information%202011.pdf










Is “Open Data” a good thing?

http://www.ted.com/talks/tim_berners_lee_the_year_open_data_went_worldwide.html

24







What about “The Cloud”?

25

In principle, it’s just another place to store data, so the security principles apply….





But the Uncle Sam has other ideas…

• US Patriot Act 2011• US Foreign Intelligence

Surveillance Act (FISA) 1978• FISA Amendment Act of 2008• Protect America Act of 2007It is suggested that data of sensitivity classifications X-IN-CONFIDENCE, PROTECTED and HIGHLY PROTECTED are not stored in public cloud-based solutions (Google, Dropbox, iCloud etc.)

26





“Need to know” principle, sponsored by Benjamin Franklin

“Three can keep a secret, if two of them are dead.”

TALKING POINT





PART 3: The relationship between Data Governance and Information Security, sponsored by Niccolo Machiavelli

“I’m not interested in preserving the status quo; I want to overthrow it.”





3. Relationship between Data Governance & Information Security

• Information Asset Management– Know what you’ve got!– Know who’s responsible for it.

• Data Classification– Know the implications

• Security delivery– Implementation of security controls– Partnerships & accountability

29





Aligning info assets with business outcomes

Owners

AssetManagement

Tools

Governance

Admin

Experts

User Community

I nformationAsset

Steward

OwnersOwners

The “Information Asset Community”

Information Asset Register (inventory)

System Interfaces map





Data Ownership & Stewardship

Plan

Construct, Create, Acquire

Commission, Organise,

Store Access Use Assess Maintain Retire

Rigorously evaluate the

decision at the earliest

stages of a proposal

before investing in new or

replacement assets.

Manage the procurement

whether it be a

construction, purchase,

lease or service

Minimise the cost and risk of ownership with effective

maintenance strategies and procedures.

Manage operational costs.

Evaluate the level of investment in assets to identify

functional or physical obsolescence, financial viability, re-

use opportunities and areas of unacceptable risk.

Consult with

stakeholders

and plan for

disposal of

assets.

Examine all

options to

achieve

service

delivery

objectives

and meet

business

requirements.

Information Owner

Chief Steward & IMCC (cross-functional, cross domain)

BusinessProcess

BusinessProcess

BusinessProcess

BusinessProcess

BusinessProcess

InformationStewards

NB Risk Point: Owner of data acquisition process may not be the most appropriate

owner for the information asset!





Evidence-based decision-making, sponsored by Aldous Huxley

“The deepest sin against the human mind is to believe things without evidence.”

TALKING POINT





PART 4:Compliance in a cost-effective manner, sponsored by Voltaire

“The art of government is to make two-thirds of a nation pay all it possibly can for the benefit of the other third.”





4. Achieving compliance in a cost-effective manner

• Delivering information value• Shared planning• Data lifecycle and SDLC

34





“True Facts”: Data Governance and Information as a Service

Identify measurable and targeted Business Outcomes

Why do we need information? For whom? What will we do differently?

Establish DG Operating Model

Who is accountable? By what processes?

Execute Activities & Tasks

How do we deliver? Who does the work?

Confirm the Information Holdings & Gaps

What do we need to provide? (Content + Context)

Implement DG/IMCC Services Catalogue:

What core capabilities do we need?




E: [email protected] Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed 36

Tracking the value: Information Benefits Register

Information value to IT is typically characterised by improvements in

efficiency

Information Benefits Case monetises the expected value to derive from standing up the

IMCC/DG capability

Information value to Business is characterised by improvements in

effectiveness

Institutional reputation and compliance issues are benefitted

through avoiding or mitigating risk





Linking of Data Governance Lifecycle & SDLC

DP Ref DG Decision Point Name

DG-DP01 New Data In a Source System

DG-DP02 Customer Origination and Maintenance

DG-DP03 Data Movement / Migration

DG-DP04 Group Data Warehouse Integration

DG-DP05 Creation of Reporting & Analytics

DG-DP06 Feeding output data from Information Stores back into Operational Systems

DG-DP07 Create a New Data Store

DG-DP08Add new or make changes to an existing Classification Scheme (hierarchical or descriptive elements in Dimensional data)

Requirements Design Build Test Deploy BAU

Plan

Construct, Create, Acquire

Commission, Organise,

Store Access Use Assess Maintain Retire

Specific and explicit

milestones mapped into the Business

Operating Model & SDLC





Collaboration & knowledge sharing, sponsored by Lao Tsu

“Respond intelligently even to unintelligent treatment.”

FINAL THOUGHTS





Consistency of messaging, sponsored by Lewis Carroll

“What I tell you three times is true.”





Further readingDocument Link

AGIMO Cloud Computing Policy

http://agimo.gov.au/files/2012/04/Australian-Government-Cloud-Computing-Policy-Version-2.0.pdf

Data Compliance Beyond Borders

http://www.cloudpro.co.uk/cloud-essentials/compliance/5484/data-compliance-beyond-borders-why-we-should-be-paying-attention

UNSW Cyber Law Centre - Data Sovereignty & The Cloud

http://www.cyberlawcentre.org/data_sovereignty/CLOUD_DataSovReoprt_Full.pdf

Harvard Business Review – blog post

http://blogs.hbr.org/cs/2013/06/does_your_ceo_really_get_data.html?utm_source=Socialflow&utm_medium=Tweet&utm_campaign=Socialflow

Varonis – Security Incidents White Paper

http://cdn2.hubspot.net/hub/142972/file-213975880-pdf/research/Report_-_Security_Incidents_and_Real-time_Alerts.pdf%20

EU Working Party on Data Protection Reform – Article 29

http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2013/20130227_statement_dp_reform_package_en.pdf

Macquarie Telecom – The Cloud and Cross Border Risks

http://ozhub.com.au/wp-content/uploads/2011/10/Macquarie_Telecom_Cloud_and_Cross-Border_Risks.pdf?goback=%2Egde_3870872_member_254316622

41

And of course http://www.informationaction.blogspot.com.au/ !








http://www.cyberlawcentre.org/data_sovereignty/CLOUD_DataSovReoprt_Full.pdf



http://cdn2.hubspot.net/hub/142972/file-213975880-pdf/research/Report_-_Security_Incidents_and_Real-time_Alerts.pdf

http://cdn2.hubspot.net/hub/142972/file-213975880-pdf/research/Report_-_Security_Incidents_and_Real-time_Alerts.pdf



http://ozhub.com.au/wp-content/uploads/2011/10/Macquarie_Telecom_Cloud_and_Cross-Border_Risks.pdf?goback=.gde_3870872_member_254316622

http://ozhub.com.au/wp-content/uploads/2011/10/Macquarie_Telecom_Cloud_and_Cross-Border_Risks.pdf?goback=.gde_3870872_member_254316622

http://www.informationaction.blogspot.com.au/

http://www.informationaction.blogspot.com.au/

alan duncan, director of data governance, unsw e: [email protected] tw: @alan_d_duncan...

Documents

alan duncan

director of data governance

enterprise data governance

ensuring data governance

duncan linkedin

security alan

information security

unsw e