SlideShare a Scribd company logo
1 of 6
ISACA JOURNAL VOL 3 1
©2017 ISACA. All rights reserved. www.isaca.org
featurefeature
Regulators Are Driving Activities
In a joint sitting of the Basel Committee on Banking
Supervision (BCBS), the International Organization
of Securities Commissions (IOSCO) and the
International Association of Insurance Supervisors
(IAIS), regulators recognized the need for better
data quality.1
Banks were at the forefront of the
new regulatory requirements for enterprise data
management via the Basel BCBS 239, which was
introduced in 2013.2
BCBS 239 addressed the poor
quality of reports that were submitted to regulators
during the height of the global financial crisis and
outlined the need for:
• Metadata, single identifiers and unified naming
conventions for data. The latter two items are
concerned with enterprise master and reference
data management and are generally referred to as
MDM.3
• Established roles and responsibilities in the
enterprise—the data stewardship organization—
with respect to managing enterprise data4
• Specific measures of data quality5
BCBS 239 gave rise to the creation of new bank
departments and has been a driver of the chief data
officer (CDO) role to head the department, often with
a board or chief executive officer (CEO) mandate
to meet these regulatory requirements. Although
different in formality, structure and interpretation,
the CDO’s scope includes data governance, data
stewardship and enterprise data management.
Considering the original joint sitting of Basel (banking
industry), IAIS (insurance industry) and IOSCO
(securities industry), similar regulations could apply to
insurance and securities enterprises, too.
The relationship between cyber security and the
regulatory requirements for data governance, data
stewardship and enterprise data management is
set to strengthen. Enterprise data management
(EDM), data stewardship and data governance
are concerned with the what, who and how of
managing the enterprise data asset, respectively:
• Enterprise data management (the what)—
Enabling the business to make the most of its data
asset, supported by suitable tools and processes.
EDM objectives include measuring data quality (and
attesting to data and report quality); ensuring that
reference data, e.g., product codes, are accurate
(master data management); and ensuring that
business has the same understanding of various
business terms (metadata).
• Data stewardship (the who)—Identifying the
people/positions involved in EDM within the
business and ensuring the formal definition of
their responsibilities and accountabilities. A data
steward may need to measure the quality of a
data element each month to support regulatory
reporting; data stewardship formalizes these
responsibilities and accountabilities.
• Data governance (the how)—Establishing,
monitoring and sometimes enforcing policies,
procedures, standards and guidelines that are
related to the overall management of enterprise
data, with the goal of sustainably ensuring
data availability, usability and security. Data
governance activities provide direction and
structure to data stewardship and enterprise data
management activities.
Boosting Cyber Security With Data Governance
and Enterprise Data Management
Guy Pearce
Is managing partner of REData Performance Consulting, which specializes
in integrating data, governance, strategy, risk management and IT to
produce auditable, data-driven value for enterprises and their customers.
Pearce has served on the boards of directors of private and public
companies in the banking, financial services and retail industries over
the past decade and on their finance, risk, audit, credit, and information
and communications technology committees. Pearce can be reached at
pearcegf@gmail.com.
ISACA JOURNAL VOL 3 2
©2017 ISACA. All rights reserved. www.isaca.org
action, and the latter can result in unexpected and
undesirable business outcomes that can, in turn,
incur reputational and other risk for the enterprise.
Note that beyond absolute data quality, an enterprise
should also know how well data that are copied
by the enterprise from a production data source
downstream into, for example, a data warehouse
or data lake, remain accurate. Organizations need
to know that this copy—facilitating organizational
reporting and analytics—accurately reflects the
production data. This example describes relative data
quality that is assessed by means of data transport
validation processes. Regulators are interested in
absolute and relative data quality.
Positive Outcomes for Regulators
and Data Users
Data quality processes enable users to know if a
report can be trusted. For example, which report in
figure 1 is more trustworthy? Report A is certified
across four data-quality dimensions—accuracy,
integrity, completeness and timeliness—providing
assurance of its trustworthiness. Report B has
unknown quality and is unqualified, which is typical
of most business reports.
The same matter applies to those enterprises that
leverage analytics for enhanced business insights.
If one set of insights is quality certified and another
one is not certified, the former is more reliable to
Figure 1—Data Quality Comparison of Report A and Report B
Source: G. Pearce. Reprinted with permission.
A B
Statement of
cash flow
Balance sheet
Income
statement
Accuracy Integrity
Completeness Timelines
Accuracy
(unknown)
Integrity
(unknown)
Completeness
(unknown)
Timelines
(unknown)
Statement of
cash flow
Balance sheet
Income
statement
A B
Statement of
cash flow
Balance sheet
Income
statement
Accuracy Integrity
Completeness Timelines
Accuracy
(unknown)
Integrity
(unknown)
Completeness
(unknown)
Timelines
(unknown)
Statement of
cash flow
Balance sheet
Income
statement
ISACA JOURNAL VOL 3 3
©2017 ISACA. All rights reserved. www.isaca.org
Good Cyber Security Deploys
Multiple Lines of Defense
Cyber security strategies should create several
lines of defense against attackers. One such line
of cyberdefense is technology, e.g., for malware,
viruses and hackers. For some enterprises, this is
the only line of defense, which, unfortunately, still
leaves the enterprise exposed to residual cyberrisk.
Another line of defense is ensuring that staff
members are formally made aware of the risk that
is associated with data and that they act according
to defined data governance policies when handling
enterprise data. Yet another example is third-party
due diligence, in which data governance establishes
the cyber security expectations of third parties.
Corporate governance—the board of directors’
job—is the line of defense that looks at business
culture, beginning with setting the right tone about
risk at the very top of the enterprise.9
Four Ways Data Governance and
Enterprise Data Management Boost
Cyber Security
Data governance and enterprise data management
augment the various lines of defense for data at
risk. Data at risk are data that, if they were to fall
into unauthorized hands, would compromise an
enterprise and/or its customers. Identifying data
at risk is a key activity, because securing all data
is an impossible and very costly task for most
enterprises. Data governance and enterprise data
management boost cyber security in four ways.
Helping to Identify Data at Risk
Enterprise data management tools have made
identifying sensitive data easier. Personally
identifiable information (PII) (e.g., contact details,
payment card industry [PCI] data, credit card
details) and protected health information (PHI)
(e.g., data containing individual medical records)
constitute sensitive data. Enterprise data
Relating Data Security, Governance,
Stewardship and Quality
Data governance embraces all that data impact
and that impacts data. For example, COBIT®
5
sees data governance as overseeing information
custodianship and information security,6
and the
Data Management Association (DAMA) International
places data governance at the hub of nine
categories, including data quality, metadata and
data security.7
There is also an overlap between
data security, data quality, data governance and
data stewardship8
(figure 2), specifically from the
enterprise perspective.
Figure 2—Relationship Between
Data Governance, Data Stewardship,
Enterprise Data Management
and Data Security
Source: G. Pearce. Reprinted with permission.
Incremental enterprise risk is introduced if the
four categories in figure 2 are inconsistent for
any reason. The matter of organizational data
management maturity comes to the forefront in
plans to sustainably resolve such inconsistencies.
Data Governance
Data
Stewardship
Enterprise Data
Management
Data
Security
Enjoying
this article?
• 	Learn more about,
discuss and
collaborate on
cybersecurity in the
Knowledge Center.
www.isaca.org/
cybersecurity-topic
ISACA JOURNAL VOL 3 4
©2017 ISACA. All rights reserved. www.isaca.org
• Perform transaction log analysis
• Perform business process analysis and audits
• Analyze job descriptions (data-intensive roles)
• Perform application audits (e.g., identify tools
permitting sensitive data drill downs)
• Analyze data models, including areas of data
duplication and data redundancy (data life cycle
management).
Helping to Locate Sensitive Data
Heading the list of things that keep senior
executives up at night is “not knowing where
sensitive data reside.”12
Fifty percent of information
security professionals worry that they do not
understand the full extent of the data risk of
their enterprise.13
Not knowing the location of enterprise sensitive
data hampers the ability to identify enterprise data
at risk, thereby compromising the enterprise’s ability
to design an effective cyber security strategy. Not
knowing the location also hampers the ability of
the enterprise to rapidly and properly respond to
a data breach, which is an existing and emerging
regulatory requirement in many jurisdictions and
can result in significant fines and penalties.14
management tools can also help with identifying
other data categories that the enterprise defines as
sensitive. A breach of sensitive data is the cause of
most reputation and financial risk for enterprises.
Hackers largely desire sensitive identity data (PII
and PHI) because they have a longer shelf-life than
financial data (PCI and other). Financial data are
only useful to the hacker for as long as it takes the
victim to inform the bank of stolen credentials.10
With PII and PHI data, crimes can be committed in
a victim’s name for weeks, months or longer before
anyone notices, with life-changing consequences
for those affected.
The enterprise also needs to know who in the
organization is using the sensitive data, the location
of the data and how the data flow through the
enterprise. The enterprise’s data stewardship
component can facilitate the identification of who
has access to which data, helping to mitigate
the risk of people being the biggest cause of
information security incidents.11
Enterprise data
management tools can also facilitate identifying
data location and how they flow through the
enterprise (data lineage).
Other ways of identifying data at risk are to:
• Analyze data flows
• Review enterprise access rights
Fifty percent of
information security
professionals worry
that they do not
understand the
full extent of the
data risk of their
enterprise.
ISACA JOURNAL VOL 3 5
©2017 ISACA. All rights reserved. www.isaca.org
Modern data quality tools address this access risk
by providing masking and tokenization functionality.
Some tools also limit drill-down access to the
underlying data. These features enable data stewards
and other users to profile their data and assess
their data quality without ever seeing the data and,
thereby, potentially compromising data security.
Conclusion
Data governance and enterprise data management
are key to the future competitiveness and
sustainability of enterprises. The benefits of data
governance and enterprise data management span
areas such as cyber security, marketing, sales,
strategy, finance, compliance and audit, and, from
an operational perspective, business intelligence,
reporting and analytics. This article outlined some
benefits of the relationship between cyber security,
enterprise data management and data governance.
Knowing the relationship between data governance
and cyber security, enterprises need to ask if
their enterprise data are consistently governed
under a single umbrella. If not, an enterprise could
have inconsistent and even contradictory policies
deployed across the enterprise, which introduces
new risk. Good corporate governance requires
new risk to be recognized and documented in the
enterprise risk register for board-level visibility.
Some data quality tools can automatically infer the
classification of data and allow custom classifications
to be defined. These features are a natural outcome
of the data profiling process, which accesses data
stored at defined locations to perform the required
data profiling tasks. The classifications, which
determine whether data looks like credit card data
(PCI), passport data (PII) or even fits a custom
classification, can then be integrated into custom
reports, enabling the enterprise to identify the location
of any data of a given classification for strategic,
operational or regulatory purposes.
Helping to Identify Sensitive Data Users and
Ensuring Consistent Data Access Processes
Access to PCI, PII and PHI should be tightly
controlled. As a result, business data stewards
might lament that data security hampers them from
doing their job, such as data profiling to determine
data quality, while the data security team might
remind data stewards that it is their job to restrict
access to sensitive data to protect the data from
the risk of misuse.
Data governance establishes policies and
standards with respect to enterprise data. Given the
relationship between data governance and cyber
security, these policies and standards can also
be used to guide the development of consistent
data access processes across silos and across
the enterprise. The policies define the principles of
access for each diverse user group, and the data
security team implements processes to suit each
of these policies. Software tools are beginning to
provide more of this type of functionality.
Helping to Ensure Safer Access to Sensitive Data
Data users do not always need to be able to see
sensitive data to be able to use the data. This is
important, because one of the greatest cyberrisk
factors is internal staff, especially those with
privileged access to data.15
Data stewards have
privileged access, especially when it comes to
data profiling. How can the risk of data stewards
misusing sensitive data be mitigated?
Data users do not
always need to be
able to see sensitive
data to be able to
use the data.
ISACA JOURNAL VOL 3 6
©2017 ISACA. All rights reserved. www.isaca.org
	 9	Akmeemana, C.; G. Pearce; “Tech-based
Cybersecurity Can’t Stop ‘People Risk’,”
American Banker, 22 July 2016, https://www.
americanbanker.com/opinion/tech-based-
cybersecurity-cant-stop-people-risk
	10	Rashid, F. Y.; “Why Hackers Want Your
Health Care Data Most of All,” InfoWorld,
14 September 2015, www.infoworld.com/
article/2983634/security/why-hackers-want-
your-health-care-data-breaches-most-of-all.html
	11	PricewaterhouseCoopers, “Managing Cyber
Risks in an Interconnected World: Key Findings
From the Global State of Information Security
Survey 2015,” 30 September 2014, www.pwc.
com/gx/en/consulting-services/information-
security-survey/assets/the-global-state-of-
information-security-survey-2015.pdf
	12	Ponemon Institute, “The State of Data Security
Intelligence in 2015,” 7 April 2015, www.
slideshare.net/informaticacorp/infagraphic-
ponemon-state-of-data-centric-security
	13	 Ibid.
	14	Friedman, K.; T. Hunter; J. Halpert; “Canada’s
PIPEDA: Consultation Opportunity for Data
Breach Reporting Regulations,” 31 May
2016, www.dlapiper.com/en/canada/insights/
publications/2016/05/canadas-pipeda-
consultation-opportunity/
	15	Shaw, N.; “It Shouldn’t Matter How Many US
Bs Are Lost,” InfoSecurity, 27 January 2016,
www.infosecurity-magazine.com/blogs/it-
shouldnt-matter-how-many-usbs/
Ultimately, leveraging enterprise data management
and data governance outcomes in a cyber security
context creates another line of defense for one of
the modern enterprise’s most valuable assets with
little incremental effort.
Endnotes
	 1	Bank for International Settlements, Trends in
Risk Integration and Aggregation, August 2003,
www.bis.org/publ/joint07.pdf
	 2	Bank for International Settlements, Principles
for Effective Risk Data Aggregation and Risk
Reporting, January 2013, www.bis.org/publ/
bcbs239.pdf
	 3	 Ibid.
	 4	 Ibid.
	 5	 Ibid.
	 6	Suer, M.; R. Nolan; “Using COBIT®
5 to Deliver
Information and Data Governance,” COBIT®
Focus, 12 January 2015, www.isaca.org/
cobit/focus/pages/using-cobit-5-to-deliver-
information-and-data-governance.aspx
	 7	DAMA International, “Body of Knowledge,”
2015, www.dama.org/content/body-knowledge
	 8	Stanford University, “Data Governance at
Stanford: A Data Governance Overview,”
19 September 2011, http://web.stanford.edu/
dept/pres-provost/cgi-bin/dg/wordpress/wp-
content/uploads/2011/11/DG-News001.pdf

More Related Content

What's hot

Managing Dirty Data In Organization Using Erp
Managing Dirty Data In Organization Using ErpManaging Dirty Data In Organization Using Erp
Managing Dirty Data In Organization Using Erp
Donovan Mulder
 
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionInformation Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Capgemini
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
David Kearney
 
Information systems, organizations, management, and strategy
Information systems, organizations, management, and strategyInformation systems, organizations, management, and strategy
Information systems, organizations, management, and strategy
Prof. Othman Alsalloum
 

What's hot (20)

Chapter 3
Chapter 3Chapter 3
Chapter 3
 
Managing Dirty Data In Organization Using Erp
Managing Dirty Data In Organization Using ErpManaging Dirty Data In Organization Using Erp
Managing Dirty Data In Organization Using Erp
 
Successful stewardship Presentation
Successful stewardship PresentationSuccessful stewardship Presentation
Successful stewardship Presentation
 
Information Governance
Information GovernanceInformation Governance
Information Governance
 
Scenario you have recently been hired as a chief information gov
Scenario you have recently been hired as a chief information govScenario you have recently been hired as a chief information gov
Scenario you have recently been hired as a chief information gov
 
Getting Ahead Of The Game: Proactive Data Governance
Getting Ahead Of The Game: Proactive Data GovernanceGetting Ahead Of The Game: Proactive Data Governance
Getting Ahead Of The Game: Proactive Data Governance
 
Driving Business Performance with effective Enterprise Information Management
Driving Business Performance with effective Enterprise Information ManagementDriving Business Performance with effective Enterprise Information Management
Driving Business Performance with effective Enterprise Information Management
 
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionInformation Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer Satisfaction
 
Reference master data management
Reference master data managementReference master data management
Reference master data management
 
Metadata Repositories in Health Care - Master Data Management Approach to Met...
Metadata Repositories in Health Care - Master Data Management Approach to Met...Metadata Repositories in Health Care - Master Data Management Approach to Met...
Metadata Repositories in Health Care - Master Data Management Approach to Met...
 
Data Governance for Enterprises
Data Governance for EnterprisesData Governance for Enterprises
Data Governance for Enterprises
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
 
Information systems, organizations, management, and strategy
Information systems, organizations, management, and strategyInformation systems, organizations, management, and strategy
Information systems, organizations, management, and strategy
 
Analytics Organization Modeling for Maturity Assessment and Strategy Development
Analytics Organization Modeling for Maturity Assessment and Strategy DevelopmentAnalytics Organization Modeling for Maturity Assessment and Strategy Development
Analytics Organization Modeling for Maturity Assessment and Strategy Development
 
Oracle Big Data Governance Webcast Charts
Oracle Big Data Governance Webcast ChartsOracle Big Data Governance Webcast Charts
Oracle Big Data Governance Webcast Charts
 
Data Governance challenges in a major Energy Company
Data Governance challenges in a major Energy CompanyData Governance challenges in a major Energy Company
Data Governance challenges in a major Energy Company
 
Ebook - The Guide to Master Data Management
Ebook - The Guide to Master Data Management Ebook - The Guide to Master Data Management
Ebook - The Guide to Master Data Management
 
Chapter 5 data resource management
Chapter 5 data resource managementChapter 5 data resource management
Chapter 5 data resource management
 
Master Data Management
Master Data ManagementMaster Data Management
Master Data Management
 
task 1
task 1task 1
task 1
 

Similar to Boosting Cybersecurity with Data Governance (peer reviewed)

Data quality management system
Data quality management systemData quality management system
Data quality management system
selinasimpson361
 
Data quality management best practices
Data quality management best practicesData quality management best practices
Data quality management best practices
selinasimpson2201
 
Quality management best practices
Quality management best practicesQuality management best practices
Quality management best practices
selinasimpson2201
 

Similar to Boosting Cybersecurity with Data Governance (peer reviewed) (20)

Data Governance
Data GovernanceData Governance
Data Governance
 
Practical Guide to Data Governance Success
Practical Guide to Data Governance SuccessPractical Guide to Data Governance Success
Practical Guide to Data Governance Success
 
Why data governance is the new buzz?
Why data governance is the new buzz?Why data governance is the new buzz?
Why data governance is the new buzz?
 
Developing A Universal Approach to Cleansing Customer and Product Data
Developing A Universal Approach to Cleansing Customer and Product DataDeveloping A Universal Approach to Cleansing Customer and Product Data
Developing A Universal Approach to Cleansing Customer and Product Data
 
Qlik wp 2021_q3_data_governance_in_the_modern_data_analytics_pipeline
Qlik wp 2021_q3_data_governance_in_the_modern_data_analytics_pipelineQlik wp 2021_q3_data_governance_in_the_modern_data_analytics_pipeline
Qlik wp 2021_q3_data_governance_in_the_modern_data_analytics_pipeline
 
Reference data management in financial services industry
Reference data management in financial services industryReference data management in financial services industry
Reference data management in financial services industry
 
Bad customer data?
Bad customer data?Bad customer data?
Bad customer data?
 
Data quality management system
Data quality management systemData quality management system
Data quality management system
 
Data Management Best Practices
Data Management Best PracticesData Management Best Practices
Data Management Best Practices
 
Importance of Data Governance
Importance of Data GovernanceImportance of Data Governance
Importance of Data Governance
 
Information governance presentation
Information governance   presentationInformation governance   presentation
Information governance presentation
 
Data quality management best practices
Data quality management best practicesData quality management best practices
Data quality management best practices
 
data collection, data integration, data management, data modeling.pptx
data collection, data integration, data management, data modeling.pptxdata collection, data integration, data management, data modeling.pptx
data collection, data integration, data management, data modeling.pptx
 
oracle-data-governance-wp.pdf
oracle-data-governance-wp.pdforacle-data-governance-wp.pdf
oracle-data-governance-wp.pdf
 
Quality management best practices
Quality management best practicesQuality management best practices
Quality management best practices
 
Data Quality Strategy: A Step-by-Step Approach
Data Quality Strategy: A Step-by-Step ApproachData Quality Strategy: A Step-by-Step Approach
Data Quality Strategy: A Step-by-Step Approach
 
3 data mgmt
3 data mgmt3 data mgmt
3 data mgmt
 
big data.pptx
big data.pptxbig data.pptx
big data.pptx
 
Eiu collibra transforming data into action-the business outlook for data gove...
Eiu collibra transforming data into action-the business outlook for data gove...Eiu collibra transforming data into action-the business outlook for data gove...
Eiu collibra transforming data into action-the business outlook for data gove...
 
eCommerce Product Data Governance: Why Does It Matter?
eCommerce Product Data Governance: Why Does It Matter?eCommerce Product Data Governance: Why Does It Matter?
eCommerce Product Data Governance: Why Does It Matter?
 

More from Guy Pearce

More from Guy Pearce (12)

Governance: The key to effecting successful Digital Transformation
Governance: The key to effecting successful Digital TransformationGovernance: The key to effecting successful Digital Transformation
Governance: The key to effecting successful Digital Transformation
 
Closing the gap between innovation intent and reality (corporate governance)
Closing the gap between innovation intent and reality (corporate governance)Closing the gap between innovation intent and reality (corporate governance)
Closing the gap between innovation intent and reality (corporate governance)
 
Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?Cybersecurity: Whose job is it anyway?
Cybersecurity: Whose job is it anyway?
 
Leading enterprise-scale big data business outcomes
Leading enterprise-scale big data business outcomesLeading enterprise-scale big data business outcomes
Leading enterprise-scale big data business outcomes
 
Big data governance as a corporate governance imperative
Big data governance as a corporate governance imperativeBig data governance as a corporate governance imperative
Big data governance as a corporate governance imperative
 
Creating $100 million from Big Data Analytics in Banking
Creating $100 million from Big Data Analytics in BankingCreating $100 million from Big Data Analytics in Banking
Creating $100 million from Big Data Analytics in Banking
 
Branding In Banking And Finance 2011
Branding In Banking And Finance 2011Branding In Banking And Finance 2011
Branding In Banking And Finance 2011
 
African Retail Banking Opportunities In The Brics And (1)
African Retail Banking Opportunities In The Brics And (1)African Retail Banking Opportunities In The Brics And (1)
African Retail Banking Opportunities In The Brics And (1)
 
The relationship marketing advantage, ICSB Halifax, Canada, 2008
The relationship marketing advantage, ICSB Halifax, Canada, 2008The relationship marketing advantage, ICSB Halifax, Canada, 2008
The relationship marketing advantage, ICSB Halifax, Canada, 2008
 
Marketing Science Conference on the SME use of banking products, Vancouver 2008
Marketing Science Conference on the SME use of banking products, Vancouver 2008 Marketing Science Conference on the SME use of banking products, Vancouver 2008
Marketing Science Conference on the SME use of banking products, Vancouver 2008
 
Academy of Marketing International Conference On Brand Management, Birmingham...
Academy of Marketing International Conference On Brand Management, Birmingham...Academy of Marketing International Conference On Brand Management, Birmingham...
Academy of Marketing International Conference On Brand Management, Birmingham...
 
Emerging Market SME Turnaround in a Recession: Theory and Practice. Cincinnat...
Emerging Market SME Turnaround in a Recession: Theory and Practice. Cincinnat...Emerging Market SME Turnaround in a Recession: Theory and Practice. Cincinnat...
Emerging Market SME Turnaround in a Recession: Theory and Practice. Cincinnat...
 

Recently uploaded

如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
acoha1
 
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
ju0dztxtn
 
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
dq9vz1isj
 
如何办理哥伦比亚大学毕业证(Columbia毕业证)成绩单原版一比一
如何办理哥伦比亚大学毕业证(Columbia毕业证)成绩单原版一比一如何办理哥伦比亚大学毕业证(Columbia毕业证)成绩单原版一比一
如何办理哥伦比亚大学毕业证(Columbia毕业证)成绩单原版一比一
fztigerwe
 
如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单学位证留信学历认证原件一样
如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单学位证留信学历认证原件一样如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单学位证留信学历认证原件一样
如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单学位证留信学历认证原件一样
jk0tkvfv
 
1:1原版定制利物浦大学毕业证(Liverpool毕业证)成绩单学位证书留信学历认证
1:1原版定制利物浦大学毕业证(Liverpool毕业证)成绩单学位证书留信学历认证1:1原版定制利物浦大学毕业证(Liverpool毕业证)成绩单学位证书留信学历认证
1:1原版定制利物浦大学毕业证(Liverpool毕业证)成绩单学位证书留信学历认证
ppy8zfkfm
 
Audience Researchndfhcvnfgvgbhujhgfv.pptx
Audience Researchndfhcvnfgvgbhujhgfv.pptxAudience Researchndfhcvnfgvgbhujhgfv.pptx
Audience Researchndfhcvnfgvgbhujhgfv.pptx
Stephen266013
 

Recently uploaded (20)

Formulas dax para power bI de microsoft.pdf
Formulas dax para power bI de microsoft.pdfFormulas dax para power bI de microsoft.pdf
Formulas dax para power bI de microsoft.pdf
 
Credit Card Fraud Detection: Safeguarding Transactions in the Digital Age
Credit Card Fraud Detection: Safeguarding Transactions in the Digital AgeCredit Card Fraud Detection: Safeguarding Transactions in the Digital Age
Credit Card Fraud Detection: Safeguarding Transactions in the Digital Age
 
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UPenn毕业证书)宾夕法尼亚大学毕业证成绩单本科硕士学位证留信学历认证
 
Genuine love spell caster )! ,+27834335081) Ex lover back permanently in At...
Genuine love spell caster )! ,+27834335081)   Ex lover back permanently in At...Genuine love spell caster )! ,+27834335081)   Ex lover back permanently in At...
Genuine love spell caster )! ,+27834335081) Ex lover back permanently in At...
 
Aggregations - The Elasticsearch "GROUP BY"
Aggregations - The Elasticsearch "GROUP BY"Aggregations - The Elasticsearch "GROUP BY"
Aggregations - The Elasticsearch "GROUP BY"
 
How to Transform Clinical Trial Management with Advanced Data Analytics
How to Transform Clinical Trial Management with Advanced Data AnalyticsHow to Transform Clinical Trial Management with Advanced Data Analytics
How to Transform Clinical Trial Management with Advanced Data Analytics
 
Data Analysis Project Presentation : NYC Shooting Cluster Analysis
Data Analysis Project Presentation : NYC Shooting Cluster AnalysisData Analysis Project Presentation : NYC Shooting Cluster Analysis
Data Analysis Project Presentation : NYC Shooting Cluster Analysis
 
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
 
Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...
Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...
Jual Obat Aborsi Bandung (Asli No.1) Wa 082134680322 Klinik Obat Penggugur Ka...
 
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
如何办理英国卡迪夫大学毕业证(Cardiff毕业证书)成绩单留信学历认证
 
Sensing the Future: Anomaly Detection and Event Prediction in Sensor Networks
Sensing the Future: Anomaly Detection and Event Prediction in Sensor NetworksSensing the Future: Anomaly Detection and Event Prediction in Sensor Networks
Sensing the Future: Anomaly Detection and Event Prediction in Sensor Networks
 
Predictive Precipitation: Advanced Rain Forecasting Techniques
Predictive Precipitation: Advanced Rain Forecasting TechniquesPredictive Precipitation: Advanced Rain Forecasting Techniques
Predictive Precipitation: Advanced Rain Forecasting Techniques
 
Statistics Informed Decisions Using Data 5th edition by Michael Sullivan solu...
Statistics Informed Decisions Using Data 5th edition by Michael Sullivan solu...Statistics Informed Decisions Using Data 5th edition by Michael Sullivan solu...
Statistics Informed Decisions Using Data 5th edition by Michael Sullivan solu...
 
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
1:1原版定制伦敦政治经济学院毕业证(LSE毕业证)成绩单学位证书留信学历认证
 
如何办理哥伦比亚大学毕业证(Columbia毕业证)成绩单原版一比一
如何办理哥伦比亚大学毕业证(Columbia毕业证)成绩单原版一比一如何办理哥伦比亚大学毕业证(Columbia毕业证)成绩单原版一比一
如何办理哥伦比亚大学毕业证(Columbia毕业证)成绩单原版一比一
 
如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单学位证留信学历认证原件一样
如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单学位证留信学历认证原件一样如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单学位证留信学历认证原件一样
如何办理(UCLA毕业证书)加州大学洛杉矶分校毕业证成绩单学位证留信学历认证原件一样
 
SCI8-Q4-MOD11.pdfwrwujrrjfaajerjrajrrarj
SCI8-Q4-MOD11.pdfwrwujrrjfaajerjrajrrarjSCI8-Q4-MOD11.pdfwrwujrrjfaajerjrajrrarj
SCI8-Q4-MOD11.pdfwrwujrrjfaajerjrajrrarj
 
1:1原版定制利物浦大学毕业证(Liverpool毕业证)成绩单学位证书留信学历认证
1:1原版定制利物浦大学毕业证(Liverpool毕业证)成绩单学位证书留信学历认证1:1原版定制利物浦大学毕业证(Liverpool毕业证)成绩单学位证书留信学历认证
1:1原版定制利物浦大学毕业证(Liverpool毕业证)成绩单学位证书留信学历认证
 
Audience Researchndfhcvnfgvgbhujhgfv.pptx
Audience Researchndfhcvnfgvgbhujhgfv.pptxAudience Researchndfhcvnfgvgbhujhgfv.pptx
Audience Researchndfhcvnfgvgbhujhgfv.pptx
 
Northern New England Tableau User Group (TUG) May 2024
Northern New England Tableau User Group (TUG) May 2024Northern New England Tableau User Group (TUG) May 2024
Northern New England Tableau User Group (TUG) May 2024
 

Boosting Cybersecurity with Data Governance (peer reviewed)

  • 1. ISACA JOURNAL VOL 3 1 ©2017 ISACA. All rights reserved. www.isaca.org featurefeature Regulators Are Driving Activities In a joint sitting of the Basel Committee on Banking Supervision (BCBS), the International Organization of Securities Commissions (IOSCO) and the International Association of Insurance Supervisors (IAIS), regulators recognized the need for better data quality.1 Banks were at the forefront of the new regulatory requirements for enterprise data management via the Basel BCBS 239, which was introduced in 2013.2 BCBS 239 addressed the poor quality of reports that were submitted to regulators during the height of the global financial crisis and outlined the need for: • Metadata, single identifiers and unified naming conventions for data. The latter two items are concerned with enterprise master and reference data management and are generally referred to as MDM.3 • Established roles and responsibilities in the enterprise—the data stewardship organization— with respect to managing enterprise data4 • Specific measures of data quality5 BCBS 239 gave rise to the creation of new bank departments and has been a driver of the chief data officer (CDO) role to head the department, often with a board or chief executive officer (CEO) mandate to meet these regulatory requirements. Although different in formality, structure and interpretation, the CDO’s scope includes data governance, data stewardship and enterprise data management. Considering the original joint sitting of Basel (banking industry), IAIS (insurance industry) and IOSCO (securities industry), similar regulations could apply to insurance and securities enterprises, too. The relationship between cyber security and the regulatory requirements for data governance, data stewardship and enterprise data management is set to strengthen. Enterprise data management (EDM), data stewardship and data governance are concerned with the what, who and how of managing the enterprise data asset, respectively: • Enterprise data management (the what)— Enabling the business to make the most of its data asset, supported by suitable tools and processes. EDM objectives include measuring data quality (and attesting to data and report quality); ensuring that reference data, e.g., product codes, are accurate (master data management); and ensuring that business has the same understanding of various business terms (metadata). • Data stewardship (the who)—Identifying the people/positions involved in EDM within the business and ensuring the formal definition of their responsibilities and accountabilities. A data steward may need to measure the quality of a data element each month to support regulatory reporting; data stewardship formalizes these responsibilities and accountabilities. • Data governance (the how)—Establishing, monitoring and sometimes enforcing policies, procedures, standards and guidelines that are related to the overall management of enterprise data, with the goal of sustainably ensuring data availability, usability and security. Data governance activities provide direction and structure to data stewardship and enterprise data management activities. Boosting Cyber Security With Data Governance and Enterprise Data Management Guy Pearce Is managing partner of REData Performance Consulting, which specializes in integrating data, governance, strategy, risk management and IT to produce auditable, data-driven value for enterprises and their customers. Pearce has served on the boards of directors of private and public companies in the banking, financial services and retail industries over the past decade and on their finance, risk, audit, credit, and information and communications technology committees. Pearce can be reached at pearcegf@gmail.com.
  • 2. ISACA JOURNAL VOL 3 2 ©2017 ISACA. All rights reserved. www.isaca.org action, and the latter can result in unexpected and undesirable business outcomes that can, in turn, incur reputational and other risk for the enterprise. Note that beyond absolute data quality, an enterprise should also know how well data that are copied by the enterprise from a production data source downstream into, for example, a data warehouse or data lake, remain accurate. Organizations need to know that this copy—facilitating organizational reporting and analytics—accurately reflects the production data. This example describes relative data quality that is assessed by means of data transport validation processes. Regulators are interested in absolute and relative data quality. Positive Outcomes for Regulators and Data Users Data quality processes enable users to know if a report can be trusted. For example, which report in figure 1 is more trustworthy? Report A is certified across four data-quality dimensions—accuracy, integrity, completeness and timeliness—providing assurance of its trustworthiness. Report B has unknown quality and is unqualified, which is typical of most business reports. The same matter applies to those enterprises that leverage analytics for enhanced business insights. If one set of insights is quality certified and another one is not certified, the former is more reliable to Figure 1—Data Quality Comparison of Report A and Report B Source: G. Pearce. Reprinted with permission. A B Statement of cash flow Balance sheet Income statement Accuracy Integrity Completeness Timelines Accuracy (unknown) Integrity (unknown) Completeness (unknown) Timelines (unknown) Statement of cash flow Balance sheet Income statement A B Statement of cash flow Balance sheet Income statement Accuracy Integrity Completeness Timelines Accuracy (unknown) Integrity (unknown) Completeness (unknown) Timelines (unknown) Statement of cash flow Balance sheet Income statement
  • 3. ISACA JOURNAL VOL 3 3 ©2017 ISACA. All rights reserved. www.isaca.org Good Cyber Security Deploys Multiple Lines of Defense Cyber security strategies should create several lines of defense against attackers. One such line of cyberdefense is technology, e.g., for malware, viruses and hackers. For some enterprises, this is the only line of defense, which, unfortunately, still leaves the enterprise exposed to residual cyberrisk. Another line of defense is ensuring that staff members are formally made aware of the risk that is associated with data and that they act according to defined data governance policies when handling enterprise data. Yet another example is third-party due diligence, in which data governance establishes the cyber security expectations of third parties. Corporate governance—the board of directors’ job—is the line of defense that looks at business culture, beginning with setting the right tone about risk at the very top of the enterprise.9 Four Ways Data Governance and Enterprise Data Management Boost Cyber Security Data governance and enterprise data management augment the various lines of defense for data at risk. Data at risk are data that, if they were to fall into unauthorized hands, would compromise an enterprise and/or its customers. Identifying data at risk is a key activity, because securing all data is an impossible and very costly task for most enterprises. Data governance and enterprise data management boost cyber security in four ways. Helping to Identify Data at Risk Enterprise data management tools have made identifying sensitive data easier. Personally identifiable information (PII) (e.g., contact details, payment card industry [PCI] data, credit card details) and protected health information (PHI) (e.g., data containing individual medical records) constitute sensitive data. Enterprise data Relating Data Security, Governance, Stewardship and Quality Data governance embraces all that data impact and that impacts data. For example, COBIT® 5 sees data governance as overseeing information custodianship and information security,6 and the Data Management Association (DAMA) International places data governance at the hub of nine categories, including data quality, metadata and data security.7 There is also an overlap between data security, data quality, data governance and data stewardship8 (figure 2), specifically from the enterprise perspective. Figure 2—Relationship Between Data Governance, Data Stewardship, Enterprise Data Management and Data Security Source: G. Pearce. Reprinted with permission. Incremental enterprise risk is introduced if the four categories in figure 2 are inconsistent for any reason. The matter of organizational data management maturity comes to the forefront in plans to sustainably resolve such inconsistencies. Data Governance Data Stewardship Enterprise Data Management Data Security Enjoying this article? • Learn more about, discuss and collaborate on cybersecurity in the Knowledge Center. www.isaca.org/ cybersecurity-topic
  • 4. ISACA JOURNAL VOL 3 4 ©2017 ISACA. All rights reserved. www.isaca.org • Perform transaction log analysis • Perform business process analysis and audits • Analyze job descriptions (data-intensive roles) • Perform application audits (e.g., identify tools permitting sensitive data drill downs) • Analyze data models, including areas of data duplication and data redundancy (data life cycle management). Helping to Locate Sensitive Data Heading the list of things that keep senior executives up at night is “not knowing where sensitive data reside.”12 Fifty percent of information security professionals worry that they do not understand the full extent of the data risk of their enterprise.13 Not knowing the location of enterprise sensitive data hampers the ability to identify enterprise data at risk, thereby compromising the enterprise’s ability to design an effective cyber security strategy. Not knowing the location also hampers the ability of the enterprise to rapidly and properly respond to a data breach, which is an existing and emerging regulatory requirement in many jurisdictions and can result in significant fines and penalties.14 management tools can also help with identifying other data categories that the enterprise defines as sensitive. A breach of sensitive data is the cause of most reputation and financial risk for enterprises. Hackers largely desire sensitive identity data (PII and PHI) because they have a longer shelf-life than financial data (PCI and other). Financial data are only useful to the hacker for as long as it takes the victim to inform the bank of stolen credentials.10 With PII and PHI data, crimes can be committed in a victim’s name for weeks, months or longer before anyone notices, with life-changing consequences for those affected. The enterprise also needs to know who in the organization is using the sensitive data, the location of the data and how the data flow through the enterprise. The enterprise’s data stewardship component can facilitate the identification of who has access to which data, helping to mitigate the risk of people being the biggest cause of information security incidents.11 Enterprise data management tools can also facilitate identifying data location and how they flow through the enterprise (data lineage). Other ways of identifying data at risk are to: • Analyze data flows • Review enterprise access rights Fifty percent of information security professionals worry that they do not understand the full extent of the data risk of their enterprise.
  • 5. ISACA JOURNAL VOL 3 5 ©2017 ISACA. All rights reserved. www.isaca.org Modern data quality tools address this access risk by providing masking and tokenization functionality. Some tools also limit drill-down access to the underlying data. These features enable data stewards and other users to profile their data and assess their data quality without ever seeing the data and, thereby, potentially compromising data security. Conclusion Data governance and enterprise data management are key to the future competitiveness and sustainability of enterprises. The benefits of data governance and enterprise data management span areas such as cyber security, marketing, sales, strategy, finance, compliance and audit, and, from an operational perspective, business intelligence, reporting and analytics. This article outlined some benefits of the relationship between cyber security, enterprise data management and data governance. Knowing the relationship between data governance and cyber security, enterprises need to ask if their enterprise data are consistently governed under a single umbrella. If not, an enterprise could have inconsistent and even contradictory policies deployed across the enterprise, which introduces new risk. Good corporate governance requires new risk to be recognized and documented in the enterprise risk register for board-level visibility. Some data quality tools can automatically infer the classification of data and allow custom classifications to be defined. These features are a natural outcome of the data profiling process, which accesses data stored at defined locations to perform the required data profiling tasks. The classifications, which determine whether data looks like credit card data (PCI), passport data (PII) or even fits a custom classification, can then be integrated into custom reports, enabling the enterprise to identify the location of any data of a given classification for strategic, operational or regulatory purposes. Helping to Identify Sensitive Data Users and Ensuring Consistent Data Access Processes Access to PCI, PII and PHI should be tightly controlled. As a result, business data stewards might lament that data security hampers them from doing their job, such as data profiling to determine data quality, while the data security team might remind data stewards that it is their job to restrict access to sensitive data to protect the data from the risk of misuse. Data governance establishes policies and standards with respect to enterprise data. Given the relationship between data governance and cyber security, these policies and standards can also be used to guide the development of consistent data access processes across silos and across the enterprise. The policies define the principles of access for each diverse user group, and the data security team implements processes to suit each of these policies. Software tools are beginning to provide more of this type of functionality. Helping to Ensure Safer Access to Sensitive Data Data users do not always need to be able to see sensitive data to be able to use the data. This is important, because one of the greatest cyberrisk factors is internal staff, especially those with privileged access to data.15 Data stewards have privileged access, especially when it comes to data profiling. How can the risk of data stewards misusing sensitive data be mitigated? Data users do not always need to be able to see sensitive data to be able to use the data.
  • 6. ISACA JOURNAL VOL 3 6 ©2017 ISACA. All rights reserved. www.isaca.org 9 Akmeemana, C.; G. Pearce; “Tech-based Cybersecurity Can’t Stop ‘People Risk’,” American Banker, 22 July 2016, https://www. americanbanker.com/opinion/tech-based- cybersecurity-cant-stop-people-risk 10 Rashid, F. Y.; “Why Hackers Want Your Health Care Data Most of All,” InfoWorld, 14 September 2015, www.infoworld.com/ article/2983634/security/why-hackers-want- your-health-care-data-breaches-most-of-all.html 11 PricewaterhouseCoopers, “Managing Cyber Risks in an Interconnected World: Key Findings From the Global State of Information Security Survey 2015,” 30 September 2014, www.pwc. com/gx/en/consulting-services/information- security-survey/assets/the-global-state-of- information-security-survey-2015.pdf 12 Ponemon Institute, “The State of Data Security Intelligence in 2015,” 7 April 2015, www. slideshare.net/informaticacorp/infagraphic- ponemon-state-of-data-centric-security 13 Ibid. 14 Friedman, K.; T. Hunter; J. Halpert; “Canada’s PIPEDA: Consultation Opportunity for Data Breach Reporting Regulations,” 31 May 2016, www.dlapiper.com/en/canada/insights/ publications/2016/05/canadas-pipeda- consultation-opportunity/ 15 Shaw, N.; “It Shouldn’t Matter How Many US Bs Are Lost,” InfoSecurity, 27 January 2016, www.infosecurity-magazine.com/blogs/it- shouldnt-matter-how-many-usbs/ Ultimately, leveraging enterprise data management and data governance outcomes in a cyber security context creates another line of defense for one of the modern enterprise’s most valuable assets with little incremental effort. Endnotes 1 Bank for International Settlements, Trends in Risk Integration and Aggregation, August 2003, www.bis.org/publ/joint07.pdf 2 Bank for International Settlements, Principles for Effective Risk Data Aggregation and Risk Reporting, January 2013, www.bis.org/publ/ bcbs239.pdf 3 Ibid. 4 Ibid. 5 Ibid. 6 Suer, M.; R. Nolan; “Using COBIT® 5 to Deliver Information and Data Governance,” COBIT® Focus, 12 January 2015, www.isaca.org/ cobit/focus/pages/using-cobit-5-to-deliver- information-and-data-governance.aspx 7 DAMA International, “Body of Knowledge,” 2015, www.dama.org/content/body-knowledge 8 Stanford University, “Data Governance at Stanford: A Data Governance Overview,” 19 September 2011, http://web.stanford.edu/ dept/pres-provost/cgi-bin/dg/wordpress/wp- content/uploads/2011/11/DG-News001.pdf