Study Notes: CCSK Information Governance

Here’s my study notes from Information Governance in Graham Thompson’s CCSK book.

Table of Contents

Definitions

Organization Data Governance Definition
CSA Ensuring the use of data and information complies with organizational policies, standards and strategy – including regulatory, contractual, and business objectives.
NIST A set of processes that ensures that data assets are formally managed throughout the enterprise. A data governance model established authority and management and decision making parameters related to the data produced or managed by the enterprise.

Cloud Information Governance Domains

Domain Details
Ownership and custodianship Legally accountable for controlled data.
Information classification Criteria for if, how, and where to store and process data.
Information management policies Directive control for how data and information should be managed.
Location and jurisdiction policies Geographical considerations to address.
Authorizations Who is allowed to access specific information.
Contractual controls Ensuring appropriate governance requirements are implemented and followed.
Security controls Tools required to implement data governance.

Classification Types

Type Example
User-based Email classification level option in Outlook
Content-based Document scanning
Context-based Signals like C-level executive reports

Questions to ask

Get familiar with these types of questions. They are helpful to get into a governance mindset and think to practically about an otherwise technical subject.

  • Does the data contain personally information?
  • Does the data contain health record information?
  • Does the data contain information that, if compromised, would jeopardize and individuals’s safety?
  • Does the data contain information that, if compromised, would embarrass an individual?
  • Does the data contain trade secrets or company intellectual property?
  • Does the data contain information that is, or is expected to be, publicly available?

Information management

Information management makes information available to the right person in the right format, at the right time.

  • Avoid collecting duplicate information.
  • Share en reuse information with respect to legal and regulatory restrictions.
  • Ensure that information is complete, accurate, relevant, and understandable.
  • Safeguard information against unlawful access, loss, and damage.
  • Preserve information in accordance with its operational, legal, financial and historical value.

Information Lifecycle

In the book, security is presented as a different section, but I’ve merged the concepts into one-table overview, so you can see how the information lifecycle relate to security considerations of each phase.

Phase Description Security
1 Create/collect Classification, entitlements
2 Store Encryption-at-rest, access controls, rights management, content discovery
3 Use Access control lists, application security, activity monitoring, logical controls
4 Share Encryption in transit, data loss prevention, logical controls, application security
5 Archive Encryption, asset management
6 Destroy Content discovery, crypto shredding

Locations and Entitlements

The following is a list of considerations when thinking about locations and permissions/rights in the information lifecycle.

Locations

  • Where data is the data located?
  • Where is the device located?

Entitlements

  • Who is accessing the data?
  • How are the they accessing it?
  • What are they doing with it?

Functions, Actors, and Controls

Category Example
Accessing the data Intention - read, update, use, share, archive, and destroy.
Processing the data Action - completing a business transaction.
Accessing the data Storing - commit to storage

Information Management Policy

The following are key items to include in an IM policy.

Part Description
Purpose Addresses the management of corporate information from creation to use, to disposition or destruction.
Scope Records that document company business transactions, decisions, and activities.
Policy statements How assets should be considered and treated according to respective agreement terms.
Compliance and enforcement How policy alignment and violation is handled by the organization.

Similar posts