Abba Center for Excellence

Abba Workforce Augmentation

Careers with Abba

Who Needs to Know?

Data governance helps protect sensitive information by establishing data ownership and controlling access.

Los Alamos National Laboratory takes a somewhat low-tech approach to data protection. Concerned about data loss through removable storage devices, the nation’s top nuclear weapons research facility has plugged USB ports with glue.

The move was made in response to a highly publicized security breach involving a contractor who had top-secret clearance and access to classified information. In October 2006, Los Alamos police responding to a domestic disturbance call found drug paraphernalia and seized evidence — including three USB memory sticks containing sensitive documents stolen from the lab.

Los Alamos National Laboratory said that most of the information stored on the drives was decades old and classified at the lowest levels. But given that the contractor had access to nuclear test data and information related to strategic nuclear material control and accountability, the security breach could easily have been devastating.

Recognizing the Risks

The headlines surrounding the Los Alamos case have helped raise awareness of the so-called “data leakage” problem, but many organizations remain unaware of the risks. A common misconception is that security policies designed to meet regulatory compliance requirements protect against the loss of sensitive data. However, regulations such as Sarbanes-Oxley and the Payment Card Industry (PCI) standard focus more on data integrity and the network infrastructure than on the prevention and detection of data leakage.

Internal risks are particularly problematic. Executives tend to believe data assets are protected when in reality most any employee can access most any document at any time. The problem has two main components. First, few organizations have established processes whereby managers notify IT of changes in access rights. Second, access to vast amounts of unstructured data — documents, spreadsheets and presentations, for example — is extremely difficult to control.

In most organizations, the role of IT is to enable information access, not deny it. So, barring some other directive, IT tends to place only loose controls on unstructured data. Applications and databases may be password protected, but sensitive documents often find their way onto file shares with inadequate protection from internal risks. As employees leave the organization or change roles, and more and more data is added, the problem tends to snowball.

Defining Data Governance

The changing role and nature of data illustrate the need for data governance, defined as the framework of policies, processes, standards and technologies that are employed within an organization to ensure data accessibility, quality, protection and proper use. While IT governance tends to be application-centric, data governance recognizes that vital business information is created, accessed and stored outside of centralized applications and databases.

Data governance isn’t about locking down files — on the contrary, one of its goals is to ensure that decision makers have access to the information they need. However, organizations can use data governance best practices to help reduce the likelihood of data misuse and, more importantly, ensure that permissions to key company information are warranted and based on an employee’s business need.

The critical need for data governance becomes clear when you consider that 80 percent of business is conducted on unstructured information and 85 percent of all data is held in an unstructured format. Leading industry analyst firms have also reported that the yearly data growth rate exceeds 50 percent for many enterprises, and unstructured data doubles every three months.

“Data governance is increasing in importance for all organizations, driven by compliance and transparency pressures, and the general need to regain control over their most critical corporate asset — information,” said Ted Friedman, research vice president at Gartner Inc.

Establishing Rules

Few organizations have any visibility into who has access — or, more importantly, who should have access — to this ballooning stockpile of unstructured data. In many cases, permissions to folders default to broad groups like “everyone,” meaning that literally everyone in the organization has access to that data. Enterprises that have tried to limit access have found that there is a lengthy and manual communications process between IT and data owners when it comes to answering the question, “who should have access to this data?”

Data governance helps organizations control access by defining business rules related to data. Most successful data governance initiatives are not focused on IT — the line of business assumes ownership of the data and drives the business rules surrounding it. IT assists the line of business in implementing appropriate technologies and processes to facilitate the program. A key function of data governance is to establish mechanisms for ongoing monitoring and measurement — after all, the Los Alamos security breach occurred even though the lab had banned portable storage devices two years earlier.

While not a panacea, data governance can help organizations reduce the risk of data leakage as well as enable information access, improve data integrity and aid regulatory compliance. Data becomes a corporate asset, with rigorous standards and accountability surrounding its creation, management and use.

Back to Menu
Back to Archive
888-ABBATECH
Abba Home Abba Contracts Contact Abba