Information Governance

The following are personal study notes on the topic of information governance.

Definition

For this post, I’ll be using the definition of information governance from the NIST:

A set of processes that ensures that data assets are formally managed throughout the enterprise. A data governance model establishes authority and management and decision making parameters related to the data produced or managed by the enterprise.

Domains

Domain	Summary
Ownership and custodianship	To ensure accountability if anything happens to the information.
Information classification	Decision criteria for deciding on where and how information is stored.
Information management policies	Directive on how information is managed.
Location and jurisdiction policies	Any geographical consideration.
Authorizations	Who can access what information.
Contractual controls	To ensure governance requirements are implemented and followed.
Security controls	Tools to implement information governance.

Information Classification

• Information classification is the process of grouping data with evaluation and labelling.
• The responsibility of classification usually sits with the data owners.
• Must be an ongoing activity as the value of information can increase or decrease over time.

Yes- and no questions are often used to help with classification in practice. For example:

• Does the data contain personally identifiable information (PII)?
• Does the data contain health record information?
• Does the data contain information, if compomised, would jeopardize an individual’s safety?
• Does the data contain information that, if compromised, would embarrass an individual?
• Does the data contain trade secrets or company intellectual property?
• Does the data contain information that is, or is expected to be, publicly available?

Methodologies

There are 3 types of data classification approaches out there today:

Type	Summary
User-based	Data owners are expected to select the appropriate classification for a particular data set.
Content-based	System-interpreted classification that looks for known sensitivity within the data.
Context-based	System-interpretet classification that looks for sensitivity based on the context (e.g. location, time, user, etc.)

Information Management

Information management describes how organizations manage information throughout its lifecycle. It facilitates the right information to the right people, in the right format and time.

Principles:

• Avoid collecting duplicate information.
• Share and reuse information with respect to legal and regulatory requirements.
• Ensure that information is complete, accurate, relevant, and understandable.
• Safeguard information in accordance with its operational, legal, financial, and historical value.

Lifecycle

The following common lifecycle model also aligns with the “Data Security Lifecycle” model from CSA, which more specfically focuses on data security.

• Create/collect - any type of data created or collected.
• Store - the need to determine storage requirements.
• Use - data is viewed or processed.
• Share - made available to others.
• Archive - little to no value.
• Destroy - no longer needed.

Controls

The following is a list of potential controls for each phase of the lifecycle.

Phase	Controls
Create	Labels and entitlements.
Store	Encryption-at-rest and access controls.
User	Access control lists and activity monitoring.
Share	Encryption-in-transit and data loss prevention (DLP).
Archive	Encryption and asset management.
Destroy	Content discovery.

Policies

Information management policies should contain the following information:

• Purpose
• Scope
• Statements
• Compliance and enforcements

Locations and Entitlements

The following is a list of considerations when thinking about locations and permissions/rights in the information lifecycle.

Locations

• Where data is the data located?
• Where is the device located?

Entitlements

• Who is accessing the data?
• How are the they accessing it?
• What are they doing with it?

Functions, Actors, and Controls

Category	Example
Accessing the data	Intention - read, update, use, share, archive, and destroy.
Processing the data	Action - completing a business transaction.
Storing the data	Storing - commit to storage

References

• CSA Security Guidance
• NIST - Information Governance

Similar posts

• Enterprise governance and risk management
• NIS2 Reporting Obligations
• NIS2 Cybersecurity Policies
• Study Notes: CCSK Identity, Entitlement, and Access Management
• Study Notes: CISSP Security Concepts