ensuring data governance for effective data privacy and security
Post on 11-Jan-2016
37 Views
Preview:
DESCRIPTION
TRANSCRIPT
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Ensuring Data Governance for effective data privacy and security
Alan D. Duncan September 2013
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
A bit about me....
• Alan Duncan, Director of Data Governance, UNSW• 21 years Information Management & Business
Consulting– EDS, KPMG, CPW, Acuma, Pelion, SMS– Scottish Power, United Distillers, O2, Astra Zeneca,
Carphone Warehouse, Vodafone, Riyad Bank– Commonwealth Bank, NSW Roads & Maritime
Services, Centrelink, OATSIH, NSW Family & Community Services, CASA, AMSA, FaHCSIA, DAFF, Navy…
• Information-Management.com “Top 12 on Twitter”• Best supporting Actor, 2005 Barnet Drama Festival
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
…and a bit about UNSW.
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Agenda
1. The capabilities required for an Enterprise approach to Data Governance
2. Regulatory requirements and compliance: privacy, security and openness
3. The relationship between Data Governance and Information Security
4. Achieving compliance in a cost effective manner
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
“The beginning of wisdom is the definition of terms”
PART1:
Capabilities for Enterprise Data Governance, sponsored by Socrates
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Data Governance Principles
• We value – data and information as an asset and a strategic resource. Any information holdings will be appropriately protected.
• We trust – in our information and each other. Access to and use of data should promote trust and confidence.
• We share – information. Information is accessible, discoverable and transparent.
• We re-use – information from specified authoritative sources (“single source of truth”) and is collected in a consistent manner.
• We manage – information actively. Information is managed throughout its lifecycle and practices are standardised across the business.
• We govern – information. We have formally assigned information owners and stewards with clear accountability.
Data Governa
nce Principles
Information is treated as a organisational asset and is readily available to support evidence-based decision-making and informed action.
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Drivers for improved IM & DG…
New information-processing technologiesCapabilities to meet unmet business needs
Market competition Agility to meet changing business demands?
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
…plus second-guessing future needs.
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Target state for Data Governance
Current state Required state
Task/activity/function focussed Outcome oriented
Hierarchical approach Openness and collaboration
Hoarding of information Sharing of information
Silo mentality Conscious connectedness and collective benefit
Assumptions, approximations and caveats Explicit, contextualised evidence
Gatekeeping Service, communication & responsiveness
Inertia & delay Urgency, agility & time to value
De facto processes and no agreed rules of engagement
Empowerment (permission to act), supported by flexible, adaptable enabling processes
Sense of frustration Responsiveness and ability to act
Evangelism, methods, joined up collection strategies & change management
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Information Management Operating Model
Enterprise Data Governance & Information Management
Information Asset Management (Process)
Metadata Management (Process)
Data Quality Management (Process)
Information Management Competency
Centre(Resources)
Information Ownership & Stewardship (Resources)
Information Management
Policies Framework (Controls)
Information Management Steering Committee
Master Data Management (Process)
IM Solutions Implementation (Process)
Records Management (Process)
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Data Governance capabilities
Common Principles, Methods & Standards
Shared Data
Definitions
Visible data integrity
(traceability & lineage)
Accuracy and
completeness of data(in context)
Formal accountabil
ity & decision-making
Facilitate, communicate, support, broker, arbitrate
Information Services & Delivery Teams (e.g. IARO, FPM, Records, EDW)
Data Governance Unit
Incorrect Values
Incomplete information
Inconsistent results
Missing context
Repurposing unsuitable data
Complex calculations
Conflicting expectations
Trusted data
Proactive sharing
Insight & interpretation
Enter once, use many
Feedback loop
Inputs linked to outcomes
Service & engagement
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Data Quality Management
“Get your facts first, then you can distort them as you please.”
Data Quality Management, sponsored by Mark Twain
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Secondary
Support
Governance
Primary
Capability
Management
Strategy
Operations
Dimensions
Time
Expectations
Producs/Services
Measurements Funds
TechnologyLocation
Authority
Delivery
Instrument
Facilities
Development
Organisational Unit
Direction
Controls
Person
Information Model: Level 0 Domains
"When I use a word," Humpty Dumpty said in rather a scornful tone. "It means just what I choose it to mean - neither more or less.”
Information Models & Business Glossary, sponsored Lewis Carroll
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Information Asset Management
Owners
AssetManagement
Tools
Governance
Admin
Experts
User Community
I nformationAsset
Steward
OwnersOwners
Information Asset Register (inventory)
System Interfaces map
“Science is organized knowledge. Wisdom is organized life.”
Information Asset Management, sponsored by Immanuel Kant
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Common principles, methods & standards
“Whosoever desires constant success must change his conduct with the times.”
Continuous improvement, sponsored by Niccolo Machiavelli
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Data Governance structures
“It is not only what we do, but also what we do not do, for which we are accountable.”
Formal accountability and decision-making, sponsored by Moliere
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
A word on Information Delivery Services…
Data Governance / Information Management Sponsoring Group
Data Governance Strategy & Roadmap
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Evidence-based decision-making, sponsored by Carl Sagan
“I try not to think with my gut. If I‘m serious about understanding the world, thinking with anything besides my brain, as tempting as that might be, is likely to get me into trouble.”
TALKING POINT
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
“All I want is compliance with my wishes, after reasonable discussion.”
PART 2:Impact of regulatory requirements, sponsored by Winston Churchill
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
2. Implications of regulatory requirements
• The legislative agenda• Implications
– Privacy– Sensitivity– Openness– The Cloud?
• Bottom line
20
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
There’s a lot of legislation!• Freedom of Information Act 1982 (Cth)• Freedom of Information Amendment (Reform) Act 2010 (Cth)• Privacy Act 1988 (Cth)• Privacy Amendment (Private Sector) Act 2000• Privacy Amendment Act 2012 (Cth)• Privacy Amendments (Privacy Alerts) Bill 2013 (Cth)• State Records Act 1998 (NSW)• Government Information (Public Access) Act 2009 (NSW)• Privacy & Personal Information Protection Act 1998 (NSW)• Health Records & Information Privacy Act 2002 (NSW)• NSW Government Guide To Labelling Sensitive Information 2011 (NSW Financial &
Services)• Australian Government Cloud Computing Strategic Direction 2011 (AGIMO)• Australian Government Cloud Computing Policy 2013 (AGIMO)
21
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Implications - Privacy
Privacy Classification Copying & storage implications
Electronic transmission implications
PERSONAL – HIGHLY SENSITIVE
Treat as PROTECTED (minimum standard)
Treat as PROTECTED (minimum standard)
PERSONAL Treat as X-IN-CONFIDENCE (min standard)
Treat as X-IN-CONFIDENCE (min standard)
PERSONAL –DIRECTION TO WAIVE
Treat as X-IN-CONFIDENCE (min standard)
Treat as X-IN-CONFIDENCE (min standard)
OTHER NON-PERSONAL Treat as UNRESTRICTED (minimum standard)
Treat as UNRESTRICTED (minimum standard)
22
Based on NSW State Privacy Principles (per PPIP Act 1998):
http://www.legislation.nsw.gov.au/maintop/view/inforce/act+133+1998+cd+0+N
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Implications – Sensitivity/Security
Privacy Classification Copying & storage implications
Electronic transmission implications
HIGHLY PROTECTED Encrypted & physically secureControlled copy only
Encrypted
PROTECTED Encrypted & physically secure
Encrypted
X-IN-CONFIDENCE Unencrypted, physically secure
Encrypted if regular or frequent
UNRESTRICTED No specific considerations No specific considerations
23
Based on NSW State information labeling standards:
http://www.finance.nsw.gov.au/sites/default/files/backup_migrate/manual/Labelling%20Sensitive%20Information%202011.pdf
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Is “Open Data” a good thing?
http://www.ted.com/talks/tim_berners_lee_the_year_open_data_went_worldwide.html
24
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
What about “The Cloud”?
25
In principle, it’s just another place to store data, so the security principles apply….
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
But the Uncle Sam has other ideas…
• US Patriot Act 2011• US Foreign Intelligence
Surveillance Act (FISA) 1978• FISA Amendment Act of 2008• Protect America Act of 2007It is suggested that data of sensitivity classifications X-IN-CONFIDENCE, PROTECTED and HIGHLY PROTECTED are not stored in public cloud-based solutions (Google, Dropbox, iCloud etc.)
26
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
“Need to know” principle, sponsored by Benjamin Franklin
“Three can keep a secret, if two of them are dead.”
TALKING POINT
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
PART 3: The relationship between Data Governance and Information Security, sponsored by Niccolo Machiavelli
“I’m not interested in preserving the status quo; I want to overthrow it.”
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
3. Relationship between Data Governance & Information Security
• Information Asset Management– Know what you’ve got!– Know who’s responsible for it.
• Data Classification– Know the implications
• Security delivery– Implementation of security controls– Partnerships & accountability
29
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Aligning info assets with business outcomes
Owners
AssetManagement
Tools
Governance
Admin
Experts
User Community
I nformationAsset
Steward
OwnersOwners
The “Information Asset Community”
Information Asset Register (inventory)
System Interfaces map
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Data Ownership & Stewardship
Plan
Construct, Create, Acquire
Commission, Organise,
Store Access Use Assess Maintain Retire
Rigorously evaluate the
decision at the earliest
stages of a proposal
before investing in new or
replacement assets.
Manage the procurement
whether it be a
construction, purchase,
lease or service
Minimise the cost and risk of ownership with effective
maintenance strategies and procedures.
Manage operational costs.
Evaluate the level of investment in assets to identify
functional or physical obsolescence, financial viability, re-
use opportunities and areas of unacceptable risk.
Consult with
stakeholders
and plan for
disposal of
assets.
Examine all
options to
achieve
service
delivery
objectives
and meet
business
requirements.
Information Owner
Chief Steward & IMCC (cross-functional, cross domain)
BusinessProcess
BusinessProcess
BusinessProcess
BusinessProcess
BusinessProcess
InformationStewards
NB Risk Point: Owner of data acquisition process may not be the most appropriate
owner for the information asset!
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Evidence-based decision-making, sponsored by Aldous Huxley
“The deepest sin against the human mind is to believe things without evidence.”
TALKING POINT
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
PART 4:Compliance in a cost-effective manner, sponsored by Voltaire
“The art of government is to make two-thirds of a nation pay all it possibly can for the benefit of the other third.”
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
4. Achieving compliance in a cost-effective manner
• Delivering information value• Shared planning• Data lifecycle and SDLC
34
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
“True Facts”: Data Governance and Information as a Service
Identify measurable and targeted Business Outcomes
Why do we need information? For whom? What will we do differently?
Establish DG Operating Model
Who is accountable? By what processes?
Execute Activities & Tasks
How do we deliver? Who does the work?
Confirm the Information Holdings & Gaps
What do we need to provide? (Content + Context)
Implement DG/IMCC Services Catalogue:
What core capabilities do we need?
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed 36
Tracking the value: Information Benefits Register
Information value to IT is typically characterised by improvements in
efficiency
Information Benefits Case monetises the expected value to derive from standing up the
IMCC/DG capability
Information value to Business is characterised by improvements in
effectiveness
Institutional reputation and compliance issues are benefitted
through avoiding or mitigating risk
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Linking of Data Governance Lifecycle & SDLC
DP Ref DG Decision Point Name
DG-DP01 New Data In a Source System
DG-DP02 Customer Origination and Maintenance
DG-DP03 Data Movement / Migration
DG-DP04 Group Data Warehouse Integration
DG-DP05 Creation of Reporting & Analytics
DG-DP06 Feeding output data from Information Stores back into Operational Systems
DG-DP07 Create a New Data Store
DG-DP08Add new or make changes to an existing Classification Scheme (hierarchical or descriptive elements in Dimensional data)
Requirements Design Build Test Deploy BAU
Plan
Construct, Create, Acquire
Commission, Organise,
Store Access Use Assess Maintain Retire
Specific and explicit
milestones mapped into the Business
Operating Model & SDLC
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Collaboration & knowledge sharing, sponsored by Lao Tsu
“Respond intelligently even to unintelligent treatment.”
FINAL THOUGHTS
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Consistency of messaging, sponsored by Lewis Carroll
“What I tell you three times is true.”
Alan Duncan, Director of Data Governance, UNSW
E: Alan.Duncan@unsw.edu.au Tw: @Alan_D_Duncan LinkedIn: http://www.linkedin.com/in/alandduncan Uncontrolled when printed
Further readingDocument Link
AGIMO Cloud Computing Policy
http://agimo.gov.au/files/2012/04/Australian-Government-Cloud-Computing-Policy-Version-2.0.pdf
Data Compliance Beyond Borders
http://www.cloudpro.co.uk/cloud-essentials/compliance/5484/data-compliance-beyond-borders-why-we-should-be-paying-attention
UNSW Cyber Law Centre - Data Sovereignty & The Cloud
http://www.cyberlawcentre.org/data_sovereignty/CLOUD_DataSovReoprt_Full.pdf
Harvard Business Review – blog post
http://blogs.hbr.org/cs/2013/06/does_your_ceo_really_get_data.html?utm_source=Socialflow&utm_medium=Tweet&utm_campaign=Socialflow
Varonis – Security Incidents White Paper
http://cdn2.hubspot.net/hub/142972/file-213975880-pdf/research/Report_-_Security_Incidents_and_Real-time_Alerts.pdf%20
EU Working Party on Data Protection Reform – Article 29
http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2013/20130227_statement_dp_reform_package_en.pdf
Macquarie Telecom – The Cloud and Cross Border Risks
http://ozhub.com.au/wp-content/uploads/2011/10/Macquarie_Telecom_Cloud_and_Cross-Border_Risks.pdf?goback=%2Egde_3870872_member_254316622
41
And of course http://www.informationaction.blogspot.com.au/ !
top related