Study Notes: CCSK Information Governance
Here’s my study notes from Information Governance in Graham Thompson’s CCSK book.
Table of Contents
Definitions
Organization | Data Governance Definition |
---|---|
CSA | Ensuring the use of data and information complies with organizational policies, standards and strategy – including regulatory, contractual, and business objectives. |
NIST | A set of processes that ensures that data assets are formally managed throughout the enterprise. A data governance model established authority and management and decision making parameters related to the data produced or managed by the enterprise. |
Cloud Information Governance Domains
Domain | Details |
---|---|
Ownership and custodianship | Legally accountable for controlled data. |
Information classification | Criteria for if, how, and where to store and process data. |
Information management policies | Directive control for how data and information should be managed. |
Location and jurisdiction policies | Geographical considerations to address. |
Authorizations | Who is allowed to access specific information. |
Contractual controls | Ensuring appropriate governance requirements are implemented and followed. |
Security controls | Tools required to implement data governance. |
Classification Types
Type | Example |
---|---|
User-based | Email classification level option in Outlook |
Content-based | Document scanning |
Context-based | Signals like C-level executive reports |
Questions to ask
Get familiar with these types of questions. They are helpful to get into a governance mindset and think to practically about an otherwise technical subject.
- Does the data contain personally information?
- Does the data contain health record information?
- Does the data contain information that, if compromised, would jeopardize and individuals’s safety?
- Does the data contain information that, if compromised, would embarrass an individual?
- Does the data contain trade secrets or company intellectual property?
- Does the data contain information that is, or is expected to be, publicly available?
Information management
Information management makes information available to the right person in the right format, at the right time.
- Avoid collecting duplicate information.
- Share en reuse information with respect to legal and regulatory restrictions.
- Ensure that information is complete, accurate, relevant, and understandable.
- Safeguard information against unlawful access, loss, and damage.
- Preserve information in accordance with its operational, legal, financial and historical value.
Information Lifecycle
In the book, security is presented as a different section, but I’ve merged the concepts into one-table overview, so you can see how the information lifecycle relate to security considerations of each phase.
Phase | Description | Security |
---|---|---|
1 | Create/collect | Classification, entitlements |
2 | Store | Encryption-at-rest, access controls, rights management, content discovery |
3 | Use | Access control lists, application security, activity monitoring, logical controls |
4 | Share | Encryption in transit, data loss prevention, logical controls, application security |
5 | Archive | Encryption, asset management |
6 | Destroy | Content discovery, crypto shredding |
Locations and Entitlements
The following is a list of considerations when thinking about locations and permissions/rights in the information lifecycle.
Locations
- Where data is the data located?
- Where is the device located?
Entitlements
- Who is accessing the data?
- How are the they accessing it?
- What are they doing with it?
Functions, Actors, and Controls
Category | Example |
---|---|
Accessing the data | Intention - read, update, use, share, archive, and destroy. |
Processing the data | Action - completing a business transaction. |
Accessing the data | Storing - commit to storage |
Information Management Policy
The following are key items to include in an IM policy.
Part | Description |
---|---|
Purpose | Addresses the management of corporate information from creation to use, to disposition or destruction. |
Scope | Records that document company business transactions, decisions, and activities. |
Policy statements | How assets should be considered and treated according to respective agreement terms. |
Compliance and enforcement | How policy alignment and violation is handled by the organization. |