{"id":10757,"date":"2016-12-01T13:33:45","date_gmt":"2016-12-01T18:33:45","guid":{"rendered":"http:\/\/www.iri.com\/blog\/?p=10757"},"modified":"2024-06-13T17:25:41","modified_gmt":"2024-06-13T21:25:41","slug":"data-security-governance","status":"publish","type":"post","link":"https:\/\/www.iri.com\/blog\/vldb-operations\/data-security-governance\/","title":{"rendered":"What is Data Security Governance?"},"content":{"rendered":"

The Latest Data Risk Landscape <\/b><\/h3>\n

Enterprise data continues to change rapidly in form, size, use, and residence. Rarely does it remain in siloed constructs anymore, limited to certain business units or untouched by the outside world. Data now freely crosses the prior conceived thresholds that limit business potential. It floats about in the cloud, spreads between business units, and flows everywhere. <\/span><\/p>\n

But for all the change and opportunity that data represents, once it\u2019s created or collected, it is under threat of attack and misuse. With the number of reported data breaches doubling in the last ten years, and half a billion records exposed last year, our reliance on information is under increasing threat from a lack of security.<\/span><\/p>\n

<\/p>\n

With the exposure of personal data at industrial scale, the growth of data privacy legislation was inevitable. Companies and government agencies collecting and handling personally identifiable information (PII) must now comply with <\/span>Payment Card Industry Data Security Standard (PCI DSS<\/a>) and Health Insurance Portability and Accountability Act (HIPAA<\/a>) requirements in the United States, the General Data Protection Regulation (GDPR<\/a>) in Europe, and many international and local follow-on laws like POPI in South Africa, the DPDP Act<\/a> in India, KVKK in Turkey, and the California Consumer Privacy Act (CCPA<\/a>).<\/span><\/p>\n

Data breaches also carry explicit costs. A recent Ponemon Institute study f<\/span>ound that the average cost of a data breach was US$4.45 million in 2023, and the risk of having 10,000 stolen or lost records is ~26%. With more than a one-in-four chance of losing 10,000 records, would you take that risk if you could use technology to prevent it?<\/span><\/p>\n

Organizations stuck in old operational models and mindsets fail to recognize the importance of company-wide security protocols. To improve, they must address their need for what Gartner calls Data Security Governance and thus protect information in structured and coordinated events, not as an afterthought or remediation after a breach.<\/span><\/p>\n

What is Data Security Governance?<\/b><\/h3>\n

Gartner defines data security governance (DSG) as \u201ca subset of information governance that deals specifically with protecting corporate data (in both structured database and unstructured file-based forms) through defined data policies and processes.\u201d<\/span><\/p>\n

You define the policies. You define the processes. There is no one-size-fits-all solution to DSG. Furthermore, there is no single product that meets all of the needs of DSG. You must look at your data and weigh which areas have the greatest need and the most importance to your company. You take data governance into your own hands to avert disaster. Remember that your information is your responsibility. <\/span><\/p>\n

While there are multiple pathways to safeguarding data — logical, physical, and human — \u00a0three\u00a0 primary software methods that IRI customers successfully employ are the classification, discovery, and de-identification (masking) of PII and other data considered sensitive.<\/span><\/p>\n

Data Classification<\/b><\/h3>\n

In order to find and protect specific data at risk, it must first be defined in named categories or groups. Data so classified can be cataloged not only by its name and attributes (e.g., US SSN, 9 numbers), but also subject to computational validation (to distinguish it from other 9-digit strings), and sensitivity attribution (secret, sensitive, etc.).<\/p>\n

In addition to those assignments, data classes or class groups can be characterized by where they are located and\/or how they should be found\u00a0 (search method\/s) if their locations are unknown. Also possible is the global assignment of a remediation, or masking function, so that de-identification can be carried out consistently for all members of the class, regardless of location, preserving its referential integrity.<\/p>\n

Data Discovery<\/b><\/h3>\n

To find sensitive data, search functions that may or may not be associated with data classes can be executed. Examples of discovery techniques include:<\/p>\n