What CISOs Have to Know about Data Governance
by Tori Thurmond / March 8th, 2023
With the amount of data organizations possess today, is true data governance possible anymore? CISOs’ jobs are becoming more challenging with the influx of data—not to mention the risk that goes along with that data.
As a reminder, data governance is defined as –
“An organization’s internal process of ensuring data integrity, confidentiality, availability, quality, transparency, minimization of collection, access and use, defined legal bases for the use of data, and appropriate disclosures.”
Data governance aims to formalize control of data assets by taking into account the full spectrum of data security and privacy practices. In doing so, it empowers organizations and their leadership to exercise authority and guide decisions about data and its collection, storage, and processing in response to internal business requirements, external client requirements, and regulatory requirements.
Because data is such an integral part of an organization’s services, products, values, revenue and reputation, if something goes wrong with data, the damage can be substantial. Finding a partner that will support the efforts of your organization’s CISO is integral to your data governance success. That’s why we’ve compiled a list of a few things CISOs need to know about data governance to best prepare your organization for today’s threats.
1. Stay Up to Date on Data Privacy Laws
New privacy laws and regulations are popping up all over the world, and those laws often combine specific data governance requirements with general data governance best practices. It can be hard to stay up to date on these new compliance laws and understand how and if they will affect your organization. However, failing to understand new privacy regulations could lead to fines and other legal issues that will cost your team time and money.
New regulations paired with an influx of data may call for policy changes, contract addendums, technology solutions, and new ways of viewing data. CISOs, as well as other decision makers within an organization, need to prioritize complying with privacy laws to avoid falling behind competitors. Because keeping up can be difficult in this rapidly changing environment, here’s a grouping of privacy compliance white papers to prevent your organization from falling behind.
2. Make Sure Policies are Updated
Changing laws and regulations in combination with increased amounts of data require your organization’s flexibility when it comes to policies. Policies should be reviewed and revised regularly to accommodate new data and risk associated with that data and then those changes should be communicated to all relevant internal parties.
Are you requiring yearly employee policy review acknowledgements? Make sure all members of the organization are reviewing your organization’s policies at least once a year and after any major changes to the policies. Many frameworks require employee acknowledgements regarding security policies, but data governance policies should be reviewed as well.
3. Know Your Vendors
When’s the last time you reviewed your third-party vendor contracts? Have you ever met your vendors in person? Do you and your vendors have privacy standards in place? What sort of confidentiality procedures does your organization have in place with third-party vendors? Have your vendors given you some evidence of compliance with privacy and confidentiality standards?
It’s one thing to manage the data within your organization but it’s another to know how your vendors are handling your organization’s data. The last thing you want is for someone else to damage the reputation of your organization, so check out this article for a few tips to make vendor management less intimidating. Finding a partner who is willing to review vendor policies and contracts and even travel to meet your third-party vendors is important.
One way to mitigate vendor risk is through regular risk assessments. Having your vendor risk assessed will highlight vulnerabilities that you didn’t know about before they cause any damage to your organization.
Another method of monitoring vendor performance is reviewing your vendor’s third-party security and privacy audit reports. Their security affects yours, so make sure you’re doing your due diligence in understanding exactly how they are protecting your data.
4. Find Balance Between Accessibility and Security.
Different members of your organization and certain vendors need access to your data. Make sure your data is located and classified to complement different job responsibilities and service provider needs. While you don’t want everyone to have access to your data all of the time, you do want necessary parties to have access to certain data when their jobs require it.
Four questions to keep in mind when deciding who needs access to what data are:
- What data elements are being collected (names, account numbers, user activity, etc)?
- How is the data collected?
- What is the data being used for?
- Why is the data being collected?
Once the how, what, and why are determined, knowing who should have access to what data should become easier.
5. Designate Certain Data Governance Responsibilities to Qualified Individuals.
CISO’s may not have the time, resources, independence, and expertise to meet their organization’s data governance needs. Having an individual dedicated to data governance will support the CISO while ensuring that no data governance details fall through the cracks.
Additionally, certain data privacy laws like GDPR require most organizations to appoint a Data Protection Officer. Having a dedicated Data Protection Officer means that organizations have an individual or a group with dedicated data governance responsibilities, including:
- Reporting to senior management and the Board of Directors
- The ability to provide opinions without any conflicting operational or business pressures,
- The time, technology and people resources to focus on data governance,
- The expertise on data privacy, processing requirements, and best practices.
Giving a CISO a formally appointed Data Protection Officer or an informal resource to provide data governance expertise, oversight, training, and reporting can reduce the burden on CISO’s while elevating an organization’s data governance program maturity.
Partner with Someone Who Cares
At KirkpatrickPrice, we’ve been in your shoes. We know how challenging it can be to keep up with changing regulations while trying to keep your organization’s assets as secure as possible.
We would love to partner with you to strengthen your data governance strategy, help you identify the laws and regulations affecting your business, or answer any questions you have regarding data governance and management. Connect with a KirkpatrickPrice expert today to become unstoppable.
