2. 1
A data & information governance program is an
essential foundation for an effective cyber security
program, it enables:
• investment decisions for scarce cyber dollars
• effective data risk management
• efficient direction of cyber resources
Key takeaways
3. 9/10/19 Data & Information Governance Office 2
"Data governance is the organization
and implementation of policies,
procedures, structure, roles, and
responsibilities which outline and
enforce rules of engagement,
decision rights, and
accountabilities for the effective
management of information assets."
(John Ladley, Data Governance: How to Design, Deploy and Sustain an Effective Data Governance Program, 2012)
4. Cyber security AND info security
Cybersecurity:
“The ability to protect or defend the use of
cyberspace from cyber attacks.”
Source: NIST Computer Security Resource Center - CNSSI-4009-2015
Information Security:
“The protection of information and information
systems from unauthorized access, use, disclosure,
disruption, modification, or destruction in order to
provide confidentiality, integrity, and availability.”
Source(s): NIST Computer Security Resource Center - FIPS 199 (44 U.S.C., Sec. 3542)
9/10/19 UNSW Data & Information Governance Office 3
5. Traditional 3
lines of
defence
model
Data & Information Governance Office 9/10/19 4
1st line of defence – functions that
own and manage risk
2nd line of defence – functions that
specialise in risk management and
compliance
3rd line of defence – functions that
provide independent assurance
and internal audit
8. New models
“Cybersecurity should
be managed as a risk
discipline across the
three lines of defense
— ownership,
oversight and
assurance.”
— Accenture
9/10/19 Data & Information Governance Office 7
https://www.accenture.com/t20170803t055319z__w__/us-en/_acnmedia/pdf-7/accenture-cyber-risk-convergence-of-operational-risk-and-cyber-security.pdf#zoom=50
9. 9/10/19 Data & Information Governance Office 8
Cybersecurity and enterprise risk
management are a key focus for
Council and Management
Data & information governance are a key
foundation for cybersecurity
Cybersecurity and enterprise risk
management are a key focus for
UNSW’s Council and Management
10. Why?
99/10/19 Data & Information Governance Office
This Photo by Unknown Author is licensed under CC BY-SA
14. 9/10/19 Data & Information Governance Office 14
“Complexity is a defining
feature of the digital era, &
we are not adjusting our
governance structures to
manage it.”
Kent Aiken, Prime Minister’s Fellow,
Public Policy Forum Canada, 2017
15. Data management
15
• We all know the DMBOK wheel
• But it is not enough
• That was for the olden days when data operations were simple
• Privacy is not there
• Ethics is not there
9/10/19 Data & Information Governance Office
https://dama.org/content/dmbok-2-wheel-images
17. The essential five
9/10/19 Data & Information Governance Office 17
Privacy
Cyber Security
Risk Management
Ethics
Data & Information Governance
18. Do you know who has
access to your data?
Do you know the value of
your data?
Do you know the where
your data is?
Do you know who is
protecting your data?
Do you know how well your
data is protected?
9/10/19 Data & Information Governance Office 18
Source: Mike Burgess
https://www.cio.com.au/article/583
438/telstra-five-knows-cyber-
security/
The 5
Knows
Value
Access
LocationSecurity
Protection
19. How DG helps with defence in depth
19
It helps to:
1. Identify data at risk
2. Locate sensitive data
3. Ensure that sensitive data is stored and managed properly
4. Identify sensitive data users
5. Ensure consistent data access processes
6. Ensure safer access to sensitive data
9/10/19 Data & Information Governance Office
20. DG Foundations
20
Data Governance Policies & Procedures
Data Roles & Responsibilities
Data Classification Standard
Data Handling Guideline
Data Security Practices
9/10/19 Data & Information Governance Office
24. Alignment – DG, Privacy, Risk, Ethics,
IT & Cyber
9/10/19 Data & Information Governance Office 24
Information literacy
Data driven improvements
Policies &
Standards
Information
Quality
Privacy,
Compliance,
Security
Architecture,
Integration
Establish
Decision Rights
Stewardship
Assess Risk &
Define Controls
Consistent Data
Definitions
Adapted from University of Wisconsin Data Governance Framework
25. Fundamentals
25
Data ownership
Data classification
Data handling guideline
Information Security
Management System
9/10/19 Data & Information Governance Office
Boundaries between DG &
IT/Cyber teams – collaboration
is critical
26. Identify data at risk
26
• Who in the organisation is using sensitive data
• Location of data and how the data flows through the enterprise
• Organisational data stewardship ensures business ownership of the
process
• Data access management can assist with identification of who has
access to which data
• Can assist in mitigating the risk of people being the biggest cause
of information security incidents
9/10/19 Data & Information Governance Office
27. People process & technology
• Metadata management
• Master data management
• Established roles and
responsibilities in the
organisation - data owners &
stewards, data specialists,
etc.
• Specific measures of data
quality
9/10/19 Data & Information Governance Office 27
• Prevent unauthorised
disclosure
Confidentiality
• Data cannot be modified
in an unauthorised
manner
Integrity
• Information should be
available for authorised
users
Availability
28. What we’ve learned so far
28
1. Methodically build up defensive layers
2. Every day do one thing better
3. Data governance, information security & cyber security are
essential risk management functions
4. Info sec is a team sport and it needs DG, Risk, Ethics, IT & Cyber,
Privacy to work collaboratively
5. It is a journey not a destination
9/10/19 Data & Information Governance Office
31. Cybersecurity is a team sport.
Nobody wins at this game
alone.
9/10/19 Data & Information Governance Office 31
32. 32
• Next week you should:
• Discover your organisation’s data governance function
• In the first three months following this presentation you should:
• Consider establishing a data governance function (if you don’t already have one)
• Define appropriate controls for data governance & establish a cross functional
team
• Within six months you should:
• Drive the implementation of your data governance program if you don’t already
have one, or
• Get your head around how DG works with risk and cyber to protect your
organisation
Apply What You Have Learned Today
9/10/19 Data & Information Governance Office