The following are personal study notes on the topic of information governance.
For this post, I’ll be using the definition of information governance from the NIST:
A set of processes that ensures that data assets are formally managed throughout the enterprise. A data governance model establishes authority and management and decision making parameters related to the data produced or managed by the enterprise.
Domain | Summary |
---|---|
Ownership and custodianship | To ensure accountability if anything happens to the information. |
Information classification | Decision criteria for deciding on where and how information is stored. |
Information management policies | Directive on how information is managed. |
Location and jurisdiction policies | Any geographical consideration. |
Authorizations | Who can access what information. |
Contractual controls | To ensure governance requirements are implemented and followed. |
Security controls | Tools to implement information governance. |
Yes- and no questions are often used to help with classification in practice. For example:
There are 3 types of data classification approaches out there today:
Type | Summary |
---|---|
User-based | Data owners are expected to select the appropriate classification for a particular data set. |
Content-based | System-interpreted classification that looks for known sensitivity within the data. |
Context-based | System-interpretet classification that looks for sensitivity based on the context (e.g. location, time, user, etc.) |
Information management describes how organizations manage information throughout its lifecycle. It facilitates the right information to the right people, in the right format and time.
The following common lifecycle model also aligns with the “Data Security Lifecycle” model from CSA, which more specfically focuses on data security.
The following is a list of potential controls for each phase of the lifecycle.
Phase | Controls |
---|---|
Create | Labels and entitlements. |
Store | Encryption-at-rest and access controls. |
User | Access control lists and activity monitoring. |
Share | Encryption-in-transit and data loss prevention (DLP). |
Archive | Encryption and asset management. |
Destroy | Content discovery. |
Information management policies should contain the following information:
The following is a list of considerations when thinking about locations and permissions/rights in the information lifecycle.
Category | Example |
---|---|
Accessing the data | Intention - read, update, use, share, archive, and destroy. |
Processing the data | Action - completing a business transaction. |
Storing the data | Storing - commit to storage |