The document discusses how data governance is an essential foundation for effective cyber security. It establishes that a data governance program enables investment in cyber security, effective data risk management, and efficient allocation of cyber resources. The document then provides definitions of data governance, cyber security, and information security. It explains how data governance, when aligned with privacy, risk management, ethics, IT, and cyber security functions, helps implement defense in depth for organizations by identifying at-risk data, data access management, and establishing roles and responsibilities for data ownership. Establishing foundational elements of data governance such as policies, classifications, and guidelines is important for building collaborative risk management functions.

1. Kate Carruthers
UNSW Sydney
Data governance – an essential foundation to good
cyber security practice

2. 1
A data & information governance program is an
essential foundation for an effective cyber security
program, it enables:
• investment decisions for scarce cyber dollars
• effective data risk management
• efficient direction of cyber resources
Key takeaways

3. 9/10/19 Data & Information Governance Office 2
"Data governance is the organization
and implementation of policies,
procedures, structure, roles, and
responsibilities which outline and
enforce rules of engagement,
decision rights, and
accountabilities for the effective
management of information assets."
(John Ladley, Data Governance: How to Design, Deploy and Sustain an Effective Data Governance Program, 2012)

4. Cyber security AND info security
Cybersecurity:
“The ability to protect or defend the use of
cyberspace from cyber attacks.”
Source: NIST Computer Security Resource Center - CNSSI-4009-2015
Information Security:
“The protection of information and information
systems from unauthorized access, use, disclosure,
disruption, modification, or destruction in order to
provide confidentiality, integrity, and availability.”
Source(s): NIST Computer Security Resource Center - FIPS 199 (44 U.S.C., Sec. 3542)
9/10/19 UNSW Data & Information Governance Office 3

5. Traditional 3
lines of
defence
model
Data & Information Governance Office 9/10/19 4
1st line of defence – functions that
own and manage risk
2nd line of defence – functions that
specialise in risk management and
compliance
3rd line of defence – functions that
provide independent assurance
and internal audit

6. 5
https://www.iia.org.uk/resources/audit-committees/governance-of-risk-three-lines-of-defence/
9/10/19 Data & Information Governance Office

7. 6
https://www.iia.org.uk/resources/audit-committees/governance-of-risk-three-lines-of-defence/
9/10/19 Data & Information Governance Office
Cyber security
Information Security
Data & Information Governance

8. New models
“Cybersecurity should
be managed as a risk
discipline across the
three lines of defense
— ownership,
oversight and
assurance.”
— Accenture
9/10/19 Data & Information Governance Office 7
https://www.accenture.com/t20170803t055319z__w__/us-en/_acnmedia/pdf-7/accenture-cyber-risk-convergence-of-operational-risk-and-cyber-security.pdf#zoom=50

9. 9/10/19 Data & Information Governance Office 8
Cybersecurity and enterprise risk
management are a key focus for
Council and Management
Data & information governance are a key
foundation for cybersecurity
Cybersecurity and enterprise risk
management are a key focus for
UNSW’s Council and Management

10. Why?
99/10/19 Data & Information Governance Office
This Photo by Unknown Author is licensed under CC BY-SA

11. 9/10/19 Data & Information Governance Office 10

12. 9/10/19 Data & Information Governance Office 11

13. 9/10/19 Data & Information Governance Office 12

14. 9/10/19 Data & Information Governance Office 14
“Complexity is a defining
feature of the digital era, &
we are not adjusting our
governance structures to
manage it.”
Kent Aiken, Prime Minister’s Fellow,
Public Policy Forum Canada, 2017

15. Data management
15
• We all know the DMBOK wheel
• But it is not enough
• That was for the olden days when data operations were simple
• Privacy is not there
• Ethics is not there
9/10/19 Data & Information Governance Office
https://dama.org/content/dmbok-2-wheel-images

16. https://www.accenture.com/us-en/blogs/blogs-new-data-ethics-guidelines-organizations-digital-trust
9/10/19 Data & Information Governance Office 16

17. The essential five
9/10/19 Data & Information Governance Office 17
Privacy
Cyber Security
Risk Management
Ethics
Data & Information Governance

18. Do you know who has
access to your data?
Do you know the value of
your data?
Do you know the where
your data is?
Do you know who is
protecting your data?
Do you know how well your
data is protected?
9/10/19 Data & Information Governance Office 18
Source: Mike Burgess
https://www.cio.com.au/article/583
438/telstra-five-knows-cyber-
security/
The 5
Knows
Value
Access
LocationSecurity
Protection

19. How DG helps with defence in depth
19
It helps to:
1. Identify data at risk
2. Locate sensitive data
3. Ensure that sensitive data is stored and managed properly
4. Identify sensitive data users
5. Ensure consistent data access processes
6. Ensure safer access to sensitive data
9/10/19 Data & Information Governance Office

20. DG Foundations
20
Data Governance Policies & Procedures
Data Roles & Responsibilities
Data Classification Standard
Data Handling Guideline
Data Security Practices
9/10/19 Data & Information Governance Office

21. Data
Classification
10/9/19
Data & Information Governance Office 21

22. UNSW Data Handling Guideline
Lifecycle stages for data are:
1. Creation
2. Access
3. Storage
4. Transmission
5. Processing
6. Integration & Flow
7. Retention & Disposal
8. Management
9/10/19 Data & Information Governance Office 22

23. 10/9/19 Data & Information Governance Office 23

24. Alignment – DG, Privacy, Risk, Ethics,
IT & Cyber
9/10/19 Data & Information Governance Office 24
Information literacy
Data driven improvements
Policies &
Standards
Information
Quality
Privacy,
Compliance,
Security
Architecture,
Integration
Establish
Decision Rights
Stewardship
Assess Risk &
Define Controls
Consistent Data
Definitions
Adapted from University of Wisconsin Data Governance Framework

25. Fundamentals
25
Data ownership
Data classification
Data handling guideline
Information Security
Management System
9/10/19 Data & Information Governance Office
Boundaries between DG &
IT/Cyber teams – collaboration
is critical

26. Identify data at risk
26
• Who in the organisation is using sensitive data
• Location of data and how the data flows through the enterprise
• Organisational data stewardship ensures business ownership of the
process
• Data access management can assist with identification of who has
access to which data
• Can assist in mitigating the risk of people being the biggest cause
of information security incidents
9/10/19 Data & Information Governance Office

27. People process & technology
• Metadata management
• Master data management
• Established roles and
responsibilities in the
organisation - data owners &
stewards, data specialists,
etc.
• Specific measures of data
quality
9/10/19 Data & Information Governance Office 27
• Prevent unauthorised
disclosure
Confidentiality
• Data cannot be modified
in an unauthorised
manner
Integrity
• Information should be
available for authorised
users
Availability

28. What we’ve learned so far
28
1. Methodically build up defensive layers
2. Every day do one thing better
3. Data governance, information security & cyber security are
essential risk management functions
4. Info sec is a team sport and it needs DG, Risk, Ethics, IT & Cyber,
Privacy to work collaboratively
5. It is a journey not a destination
9/10/19 Data & Information Governance Office

29. Some handy
resources
https://research.unsw.edu.au/res
earch-data-management-unsw
10/9/19
Data & Information Governance Office 29

30. Some handy
resources
https://www.datagovernance.un
sw.edu.au/
10/9/19
Data & Information Governance Office 30

31. Cybersecurity is a team sport.
Nobody wins at this game
alone.
9/10/19 Data & Information Governance Office 31

32. 32
• Next week you should:
• Discover your organisation’s data governance function
• In the first three months following this presentation you should:
• Consider establishing a data governance function (if you don’t already have one)
• Define appropriate controls for data governance & establish a cross functional
team
• Within six months you should:
• Drive the implementation of your data governance program if you don’t already
have one, or
• Get your head around how DG works with risk and cyber to protect your
organisation
Apply What You Have Learned Today
9/10/19 Data & Information Governance Office

33. Thank you
k.carruthers@unsw.edu.au
@kcarruthers
10/9/19 Data & Information Governance Office 33