SlideShare a Scribd company logo

Data governance – an essential foundation to good cyber security practice

Kate Carruthers
Kate Carruthers

Presentation at the AISA Cyber Con 2019 Melbourne

Technology
1 of 33
Download to read offline
Kate Carruthers UNSW Sydney Data governance – an essential foundation to good cyber security practice
1 A data & information governance program is an essential foundation for an effective cyber security program, it enables: • investment decisions for scarce cyber dollars • effective data risk management • efficient direction of cyber resources Key takeaways
9/10/19 Data & Information Governance Office 2 "Data governance is the organization and implementation of policies, procedures, structure, roles, and responsibilities which outline and enforce rules of engagement, decision rights, and accountabilities for the effective management of information assets." (John Ladley, Data Governance: How to Design, Deploy and Sustain an Effective Data Governance Program, 2012)
Cyber security AND info security Cybersecurity: “The ability to protect or defend the use of cyberspace from cyber attacks.” Source: NIST Computer Security Resource Center - CNSSI-4009-2015 Information Security: “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.” Source(s): NIST Computer Security Resource Center - FIPS 199 (44 U.S.C., Sec. 3542) 9/10/19 UNSW Data & Information Governance Office 3
Traditional 3 lines of defence model Data & Information Governance Office 9/10/19 4 1st line of defence – functions that own and manage risk 2nd line of defence – functions that specialise in risk management and compliance 3rd line of defence – functions that provide independent assurance and internal audit
5 https://www.iia.org.uk/resources/audit-committees/governance-of-risk-three-lines-of-defence/ 9/10/19 Data & Information Governance Office
6 https://www.iia.org.uk/resources/audit-committees/governance-of-risk-three-lines-of-defence/ 9/10/19 Data & Information Governance Office Cyber security Information Security Data & Information Governance
New models “Cybersecurity should be managed as a risk discipline across the three lines of defense — ownership, oversight and assurance.” — Accenture 9/10/19 Data & Information Governance Office 7 https://www.accenture.com/t20170803t055319z__w__/us-en/_acnmedia/pdf-7/accenture-cyber-risk-convergence-of-operational-risk-and-cyber-security.pdf#zoom=50
9/10/19 Data & Information Governance Office 8 Cybersecurity and enterprise risk management are a key focus for Council and Management Data & information governance are a key foundation for cybersecurity Cybersecurity and enterprise risk management are a key focus for UNSW’s Council and Management
Why? 99/10/19 Data & Information Governance Office This Photo by Unknown Author is licensed under CC BY-SA
9/10/19 Data & Information Governance Office 10
9/10/19 Data & Information Governance Office 11
9/10/19 Data & Information Governance Office 12
9/10/19 Data & Information Governance Office 14 “Complexity is a defining feature of the digital era, & we are not adjusting our governance structures to manage it.” Kent Aiken, Prime Minister’s Fellow, Public Policy Forum Canada, 2017
Data management 15 • We all know the DMBOK wheel • But it is not enough • That was for the olden days when data operations were simple • Privacy is not there • Ethics is not there 9/10/19 Data & Information Governance Office https://dama.org/content/dmbok-2-wheel-images
https://www.accenture.com/us-en/blogs/blogs-new-data-ethics-guidelines-organizations-digital-trust 9/10/19 Data & Information Governance Office 16
The essential five 9/10/19 Data & Information Governance Office 17 Privacy Cyber Security Risk Management Ethics Data & Information Governance
Do you know who has access to your data? Do you know the value of your data? Do you know the where your data is? Do you know who is protecting your data? Do you know how well your data is protected? 9/10/19 Data & Information Governance Office 18 Source: Mike Burgess https://www.cio.com.au/article/583 438/telstra-five-knows-cyber- security/ The 5 Knows Value Access LocationSecurity Protection
How DG helps with defence in depth 19 It helps to: 1. Identify data at risk 2. Locate sensitive data 3. Ensure that sensitive data is stored and managed properly 4. Identify sensitive data users 5. Ensure consistent data access processes 6. Ensure safer access to sensitive data 9/10/19 Data & Information Governance Office
DG Foundations 20 Data Governance Policies & Procedures Data Roles & Responsibilities Data Classification Standard Data Handling Guideline Data Security Practices 9/10/19 Data & Information Governance Office
Data Classification 10/9/19 Data & Information Governance Office 21
UNSW Data Handling Guideline Lifecycle stages for data are: 1. Creation 2. Access 3. Storage 4. Transmission 5. Processing 6. Integration & Flow 7. Retention & Disposal 8. Management 9/10/19 Data & Information Governance Office 22
10/9/19 Data & Information Governance Office 23
Alignment – DG, Privacy, Risk, Ethics, IT & Cyber 9/10/19 Data & Information Governance Office 24 Information literacy Data driven improvements Policies & Standards Information Quality Privacy, Compliance, Security Architecture, Integration Establish Decision Rights Stewardship Assess Risk & Define Controls Consistent Data Definitions Adapted from University of Wisconsin Data Governance Framework
Fundamentals 25 Data ownership Data classification Data handling guideline Information Security Management System 9/10/19 Data & Information Governance Office Boundaries between DG & IT/Cyber teams – collaboration is critical
Identify data at risk 26 • Who in the organisation is using sensitive data • Location of data and how the data flows through the enterprise • Organisational data stewardship ensures business ownership of the process • Data access management can assist with identification of who has access to which data • Can assist in mitigating the risk of people being the biggest cause of information security incidents 9/10/19 Data & Information Governance Office
People process & technology • Metadata management • Master data management • Established roles and responsibilities in the organisation - data owners & stewards, data specialists, etc. • Specific measures of data quality 9/10/19 Data & Information Governance Office 27 • Prevent unauthorised disclosure Confidentiality • Data cannot be modified in an unauthorised manner Integrity • Information should be available for authorised users Availability
What we’ve learned so far 28 1. Methodically build up defensive layers 2. Every day do one thing better 3. Data governance, information security & cyber security are essential risk management functions 4. Info sec is a team sport and it needs DG, Risk, Ethics, IT & Cyber, Privacy to work collaboratively 5. It is a journey not a destination 9/10/19 Data & Information Governance Office
Some handy resources https://research.unsw.edu.au/res earch-data-management-unsw 10/9/19 Data & Information Governance Office 29
Some handy resources https://www.datagovernance.un sw.edu.au/ 10/9/19 Data & Information Governance Office 30
Cybersecurity is a team sport. Nobody wins at this game alone. 9/10/19 Data & Information Governance Office 31
32 • Next week you should: • Discover your organisation’s data governance function • In the first three months following this presentation you should: • Consider establishing a data governance function (if you don’t already have one) • Define appropriate controls for data governance & establish a cross functional team • Within six months you should: • Drive the implementation of your data governance program if you don’t already have one, or • Get your head around how DG works with risk and cyber to protect your organisation Apply What You Have Learned Today 9/10/19 Data & Information Governance Office
Thank you k.carruthers@unsw.edu.au @kcarruthers 10/9/19 Data & Information Governance Office 33

Recommended

Data security
Data securityData security
Data security
ForeSolutions
 
Data loss prevention (dlp)
Data loss prevention (dlp)Data loss prevention (dlp)
Data loss prevention (dlp)
Hussein Al-Sanabani
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
Cyber Threat Management
Cyber Threat Management Cyber Threat Management
Cyber Threat Management
Rishi Kant
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Incident response process
Incident response processIncident response process
Incident response process
Bhupeshkumar Nanhe
 
Cybersecurity - Webinar Session
Cybersecurity - Webinar SessionCybersecurity - Webinar Session
Cybersecurity - Webinar Session
Kalilur Rahman
 
Network Security Risk
Network Security RiskNetwork Security Risk
Network Security Risk
Dedi Dwianto
 

Recommended

Data security
Data securityData security
Data security
ForeSolutions
 
Data loss prevention (dlp)
Data loss prevention (dlp)Data loss prevention (dlp)
Data loss prevention (dlp)
Hussein Al-Sanabani
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023
PECB
 
Cyber Threat Management
Cyber Threat Management Cyber Threat Management
Cyber Threat Management
Rishi Kant
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
Incident response process
Incident response processIncident response process
Incident response process
Bhupeshkumar Nanhe
 
Cybersecurity - Webinar Session
Cybersecurity - Webinar SessionCybersecurity - Webinar Session
Cybersecurity - Webinar Session
Kalilur Rahman
 
Network Security Risk
Network Security RiskNetwork Security Risk
Network Security Risk
Dedi Dwianto
 
Database forensics
Database forensicsDatabase forensics
Database forensics
Denys A. Flores, PhD
 
Cyber security
Cyber securityCyber security
Cyber security
Bhavin Shah
 
Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amos
Amos Oyoo
 
Information security awareness
Information security awarenessInformation security awareness
Information security awareness
CAS
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
Krishna Srikanth Manda
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best Practices
Evolve IP
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
Ben Rothke
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Tushar Nikam
 
Data Security Explained
Data Security ExplainedData Security Explained
Data Security Explained
Happiest Minds Technologies
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
Marius FAILLOT DEVARRE
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
Kroll
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
Eryk Budi Pratama
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
imtnoida112
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Rahmat Suhatman
 
Information security governance
Information security governanceInformation security governance
Information security governance
Koen Maris
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
Reza Kopaee
 
Data Protection for Higher Education
Data Protection for Higher EducationData Protection for Higher Education
Data Protection for Higher Education
Kate Carruthers
 
Navigating the Complex Terrain of Data Governance in Data Analysis.pdf
Navigating the Complex Terrain of Data Governance in Data Analysis.pdfNavigating the Complex Terrain of Data Governance in Data Analysis.pdf
Navigating the Complex Terrain of Data Governance in Data Analysis.pdf
Soumodeep Nanee Kundu
 

More Related Content

What's hot

Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
Reza Kopaee
 

What's hot (20)

Database forensics
Database forensicsDatabase forensics
Database forensics
 
Cyber security
Cyber securityCyber security
Cyber security
 
Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amos
 
Information security awareness
Information security awarenessInformation security awareness
Information security awareness
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best Practices
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Data Security Explained
Data Security ExplainedData Security Explained
Data Security Explained
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
 
Cybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber SecurityCybersecurity 101 - Auditing Cyber Security
Cybersecurity 101 - Auditing Cyber Security
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Information security governance
Information security governanceInformation security governance
Information security governance
 
Data Loss Prevention
Data Loss PreventionData Loss Prevention
Data Loss Prevention
 

Similar to Data governance – an essential foundation to good cyber security practice

Navigating the Complex Terrain of Data Governance in Data Analysis.pdf
Navigating the Complex Terrain of Data Governance in Data Analysis.pdfNavigating the Complex Terrain of Data Governance in Data Analysis.pdf
Navigating the Complex Terrain of Data Governance in Data Analysis.pdf
Soumodeep Nanee Kundu
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
Ulf Mattsson
 
FINAL presentationMay2016
FINAL presentationMay2016FINAL presentationMay2016
FINAL presentationMay2016
Melissa Krasnow
 

Similar to Data governance – an essential foundation to good cyber security practice (20)

Data Protection for Higher Education
Data Protection for Higher EducationData Protection for Higher Education
Data Protection for Higher Education
 
Navigating the Complex Terrain of Data Governance in Data Analysis.pdf
Navigating the Complex Terrain of Data Governance in Data Analysis.pdfNavigating the Complex Terrain of Data Governance in Data Analysis.pdf
Navigating the Complex Terrain of Data Governance in Data Analysis.pdf
 
IRJET- Big Data Privacy and Security Challenges in Industries
IRJET- Big Data Privacy and Security Challenges in IndustriesIRJET- Big Data Privacy and Security Challenges in Industries
IRJET- Big Data Privacy and Security Challenges in Industries
 
Asset Security
Asset Security Asset Security
Asset Security
 
IT Security Services
IT Security ServicesIT Security Services
IT Security Services
 
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
How to Effectively Equip Your IG Program for the Perilous Journey Into the Fu...
 
A practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpaA practical data privacy and security approach to ffiec, gdpr and ccpa
A practical data privacy and security approach to ffiec, gdpr and ccpa
 
DataGovernance_and_Management_NCI_20220531.pdf
DataGovernance_and_Management_NCI_20220531.pdfDataGovernance_and_Management_NCI_20220531.pdf
DataGovernance_and_Management_NCI_20220531.pdf
 
Managing Information Risk in Financial Services
Managing Information Risk in Financial Services Managing Information Risk in Financial Services
Managing Information Risk in Financial Services
 
Internet of Things With Privacy in Mind
Internet of Things With Privacy in MindInternet of Things With Privacy in Mind
Internet of Things With Privacy in Mind
 
The value of big data analytics
The value of big data analyticsThe value of big data analytics
The value of big data analytics
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
 
FINAL presentationMay2016
FINAL presentationMay2016FINAL presentationMay2016
FINAL presentationMay2016
 
THE CRYPTO CLUSTERING FOR ENHANCEMENT OF DATA PRIVACY
THE CRYPTO CLUSTERING FOR ENHANCEMENT OF DATA PRIVACYTHE CRYPTO CLUSTERING FOR ENHANCEMENT OF DATA PRIVACY
THE CRYPTO CLUSTERING FOR ENHANCEMENT OF DATA PRIVACY
 
Regional Cyber Security Summit 2016 May 11th-13th Weston Hotel Nairobi Kenya
Regional Cyber Security Summit 2016 May 11th-13th Weston Hotel Nairobi KenyaRegional Cyber Security Summit 2016 May 11th-13th Weston Hotel Nairobi Kenya
Regional Cyber Security Summit 2016 May 11th-13th Weston Hotel Nairobi Kenya
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
 
Case study financial_services
Case study financial_servicesCase study financial_services
Case study financial_services
 
SMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaSMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North America
 
Big Data: Privacy and Security Aspects
Big Data: Privacy and Security AspectsBig Data: Privacy and Security Aspects
Big Data: Privacy and Security Aspects
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
 

More from Kate Carruthers

More from Kate Carruthers (20)

Modelling Higher Education's digital future
Modelling Higher Education's digital future Modelling Higher Education's digital future
Modelling Higher Education's digital future
 
Starting data governance
Starting data governance Starting data governance
Starting data governance
 
Info Sec, AI, and Ethics
Info Sec, AI, and EthicsInfo Sec, AI, and Ethics
Info Sec, AI, and Ethics
 
Internet of Things and Governance
Internet of Things and GovernanceInternet of Things and Governance
Internet of Things and Governance
 
Digital Marketing and your startup
Digital Marketing and your startupDigital Marketing and your startup
Digital Marketing and your startup
 
Data at the centre of a complex world
Data at the centre of a complex world Data at the centre of a complex world
Data at the centre of a complex world
 
Data & Digital Ethics - CDAO Conference Sydney 2018
Data & Digital Ethics - CDAO Conference Sydney 2018Data & Digital Ethics - CDAO Conference Sydney 2018
Data & Digital Ethics - CDAO Conference Sydney 2018
 
Data Governance - a work in progress
Data Governance - a work in progressData Governance - a work in progress
Data Governance - a work in progress
 
Future proof your career
Future proof your career Future proof your career
Future proof your career
 
Data & Digital Ethics: some thoughts
Data & Digital Ethics: some thoughts Data & Digital Ethics: some thoughts
Data & Digital Ethics: some thoughts
 
Implementing Data Governance & ISMS in a University
Implementing Data Governance & ISMS in a UniversityImplementing Data Governance & ISMS in a University
Implementing Data Governance & ISMS in a University
 
Taking disruption for granted
Taking disruption for grantedTaking disruption for granted
Taking disruption for granted
 
The Internet of Things - 36th International Conference of Privacy and Data Co...
The Internet of Things - 36th International Conference of Privacy and Data Co...The Internet of Things - 36th International Conference of Privacy and Data Co...
The Internet of Things - 36th International Conference of Privacy and Data Co...
 
Social media: balancing risk and control
Social media: balancing risk and controlSocial media: balancing risk and control
Social media: balancing risk and control
 
Building the sharing economy
Building the sharing economy Building the sharing economy
Building the sharing economy
 
Hardware is Hard - Products are Hard Melbourne 2013
Hardware is Hard - Products are Hard Melbourne 2013Hardware is Hard - Products are Hard Melbourne 2013
Hardware is Hard - Products are Hard Melbourne 2013
 
Social and technology trends for banking
Social and technology trends for bankingSocial and technology trends for banking
Social and technology trends for banking
 
Internet of things: New Technology and its Impact on Business Models
Internet of things: New Technology and its Impact on Business ModelsInternet of things: New Technology and its Impact on Business Models
Internet of things: New Technology and its Impact on Business Models
 
Crowdfunding
CrowdfundingCrowdfunding
Crowdfunding
 
Your blog your brand - tips on getting started with your blog
Your blog your brand - tips on getting started with your blogYour blog your brand - tips on getting started with your blog
Your blog your brand - tips on getting started with your blog
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 

Data governance – an essential foundation to good cyber security practice

  • 1. Kate Carruthers UNSW Sydney Data governance – an essential foundation to good cyber security practice
  • 2. 1 A data & information governance program is an essential foundation for an effective cyber security program, it enables: • investment decisions for scarce cyber dollars • effective data risk management • efficient direction of cyber resources Key takeaways
  • 3. 9/10/19 Data & Information Governance Office 2 "Data governance is the organization and implementation of policies, procedures, structure, roles, and responsibilities which outline and enforce rules of engagement, decision rights, and accountabilities for the effective management of information assets." (John Ladley, Data Governance: How to Design, Deploy and Sustain an Effective Data Governance Program, 2012)
  • 4. Cyber security AND info security Cybersecurity: “The ability to protect or defend the use of cyberspace from cyber attacks.” Source: NIST Computer Security Resource Center - CNSSI-4009-2015 Information Security: “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.” Source(s): NIST Computer Security Resource Center - FIPS 199 (44 U.S.C., Sec. 3542) 9/10/19 UNSW Data & Information Governance Office 3
  • 5. Traditional 3 lines of defence model Data & Information Governance Office 9/10/19 4 1st line of defence – functions that own and manage risk 2nd line of defence – functions that specialise in risk management and compliance 3rd line of defence – functions that provide independent assurance and internal audit
  • 7. 6 https://www.iia.org.uk/resources/audit-committees/governance-of-risk-three-lines-of-defence/ 9/10/19 Data & Information Governance Office Cyber security Information Security Data & Information Governance
  • 8. New models “Cybersecurity should be managed as a risk discipline across the three lines of defense — ownership, oversight and assurance.” — Accenture 9/10/19 Data & Information Governance Office 7 https://www.accenture.com/t20170803t055319z__w__/us-en/_acnmedia/pdf-7/accenture-cyber-risk-convergence-of-operational-risk-and-cyber-security.pdf#zoom=50
  • 9. 9/10/19 Data & Information Governance Office 8 Cybersecurity and enterprise risk management are a key focus for Council and Management Data & information governance are a key foundation for cybersecurity Cybersecurity and enterprise risk management are a key focus for UNSW’s Council and Management
  • 10. Why? 99/10/19 Data & Information Governance Office This Photo by Unknown Author is licensed under CC BY-SA
  • 11. 9/10/19 Data & Information Governance Office 10
  • 12. 9/10/19 Data & Information Governance Office 11
  • 13. 9/10/19 Data & Information Governance Office 12
  • 14. 9/10/19 Data & Information Governance Office 14 “Complexity is a defining feature of the digital era, & we are not adjusting our governance structures to manage it.” Kent Aiken, Prime Minister’s Fellow, Public Policy Forum Canada, 2017
  • 15. Data management 15 • We all know the DMBOK wheel • But it is not enough • That was for the olden days when data operations were simple • Privacy is not there • Ethics is not there 9/10/19 Data & Information Governance Office https://dama.org/content/dmbok-2-wheel-images
  • 17. The essential five 9/10/19 Data & Information Governance Office 17 Privacy Cyber Security Risk Management Ethics Data & Information Governance
  • 18. Do you know who has access to your data? Do you know the value of your data? Do you know the where your data is? Do you know who is protecting your data? Do you know how well your data is protected? 9/10/19 Data & Information Governance Office 18 Source: Mike Burgess https://www.cio.com.au/article/583 438/telstra-five-knows-cyber- security/ The 5 Knows Value Access LocationSecurity Protection
  • 19. How DG helps with defence in depth 19 It helps to: 1. Identify data at risk 2. Locate sensitive data 3. Ensure that sensitive data is stored and managed properly 4. Identify sensitive data users 5. Ensure consistent data access processes 6. Ensure safer access to sensitive data 9/10/19 Data & Information Governance Office
  • 20. DG Foundations 20 Data Governance Policies & Procedures Data Roles & Responsibilities Data Classification Standard Data Handling Guideline Data Security Practices 9/10/19 Data & Information Governance Office
  • 22. UNSW Data Handling Guideline Lifecycle stages for data are: 1. Creation 2. Access 3. Storage 4. Transmission 5. Processing 6. Integration & Flow 7. Retention & Disposal 8. Management 9/10/19 Data & Information Governance Office 22
  • 23. 10/9/19 Data & Information Governance Office 23
  • 24. Alignment – DG, Privacy, Risk, Ethics, IT & Cyber 9/10/19 Data & Information Governance Office 24 Information literacy Data driven improvements Policies & Standards Information Quality Privacy, Compliance, Security Architecture, Integration Establish Decision Rights Stewardship Assess Risk & Define Controls Consistent Data Definitions Adapted from University of Wisconsin Data Governance Framework
  • 25. Fundamentals 25 Data ownership Data classification Data handling guideline Information Security Management System 9/10/19 Data & Information Governance Office Boundaries between DG & IT/Cyber teams – collaboration is critical
  • 26. Identify data at risk 26 • Who in the organisation is using sensitive data • Location of data and how the data flows through the enterprise • Organisational data stewardship ensures business ownership of the process • Data access management can assist with identification of who has access to which data • Can assist in mitigating the risk of people being the biggest cause of information security incidents 9/10/19 Data & Information Governance Office
  • 27. People process & technology • Metadata management • Master data management • Established roles and responsibilities in the organisation - data owners & stewards, data specialists, etc. • Specific measures of data quality 9/10/19 Data & Information Governance Office 27 • Prevent unauthorised disclosure Confidentiality • Data cannot be modified in an unauthorised manner Integrity • Information should be available for authorised users Availability
  • 28. What we’ve learned so far 28 1. Methodically build up defensive layers 2. Every day do one thing better 3. Data governance, information security & cyber security are essential risk management functions 4. Info sec is a team sport and it needs DG, Risk, Ethics, IT & Cyber, Privacy to work collaboratively 5. It is a journey not a destination 9/10/19 Data & Information Governance Office
  • 31. Cybersecurity is a team sport. Nobody wins at this game alone. 9/10/19 Data & Information Governance Office 31
  • 32. 32 • Next week you should: • Discover your organisation’s data governance function • In the first three months following this presentation you should: • Consider establishing a data governance function (if you don’t already have one) • Define appropriate controls for data governance & establish a cross functional team • Within six months you should: • Drive the implementation of your data governance program if you don’t already have one, or • Get your head around how DG works with risk and cyber to protect your organisation Apply What You Have Learned Today 9/10/19 Data & Information Governance Office