Tommy Gjertsen

Information Governance

The following are personal study notes on the topic of information governance.

Definition

For this post, I’ll be using the definition of information governance from the NIST:

A set of processes that ensures that data assets are formally managed throughout the enterprise. A data governance model establishes authority and management and decision making parameters related to the data produced or managed by the enterprise.

Domains

Domain Summary
Ownership and custodianship To ensure accountability if anything happens to the information.
Information classification Decision criteria for deciding on where and how information is stored.
Information management policies Directive on how information is managed.
Location and jurisdiction policies Any geographical consideration.
Authorizations Who can access what information.
Contractual controls To ensure governance requirements are implemented and followed.
Security controls Tools to implement information governance.

Information Classification

Yes- and no questions are often used to help with classification in practice. For example:

Methodologies

There are 3 types of data classification approaches out there today:

Type Summary
User-based Data owners are expected to select the appropriate classification for a particular data set.
Content-based System-interpreted classification that looks for known sensitivity within the data.
Context-based System-interpretet classification that looks for sensitivity based on the context (e.g. location, time, user, etc.)

Information Management

Information management describes how organizations manage information throughout its lifecycle. It facilitates the right information to the right people, in the right format and time.

Principles:

Lifecycle

The following common lifecycle model also aligns with the “Data Security Lifecycle” model from CSA, which more specfically focuses on data security.

Controls

The following is a list of potential controls for each phase of the lifecycle.

Phase Controls
Create Labels and entitlements.
Store Encryption-at-rest and access controls.
User Access control lists and activity monitoring.
Share Encryption-in-transit and data loss prevention (DLP).
Archive Encryption and asset management.
Destroy Content discovery.

Policies

Information management policies should contain the following information:

Locations and Entitlements

The following is a list of considerations when thinking about locations and permissions/rights in the information lifecycle.

Locations

Entitlements

Functions, Actors, and Controls

Category Example
Accessing the data Intention - read, update, use, share, archive, and destroy.
Processing the data Action - completing a business transaction.
Storing the data Storing - commit to storage

References

Similar posts