The amount of data coming into the average company is increasing by 30% to 35% every year. Since data also flows the other way, companies have concerns about their intellectual property, trade secrets and financial records. There are challenges on the information security side, privacy side and compliance side. Even though there isn’t a regulating act in India as of now, let’s focus our discussion on
1) Collection of data: Most MNCs get their data into India because of the safe harbor agreement, but they are also liable to meet all the requirements they have agreed to. Governance of data should be done where companies clearly know what they have to collect. They have to inform end users in advance about the purpose of the collection. Collection is a major issue; hence data governance will stipulate what has to be collected, how it will be collected, where it has to be stored and how long it has to be stored.
2) Access to information: When we say governance of data, we mean a combination of quality, processes and technologies. Individual policies, processes and procedures related to it should be outlined. Once the collection is done, there has to be a clear understanding as to who will access this data. Is everybody in the organization allowed to access the data or will only specified people have access to it? This has to be mentioned in great detail because most data collection laws state that you can use data collected only for a specific purpose and not beyond it. If at all you are, you should get in touch with the end user again and seek permission to use it.
3) Awareness of the sensitivity of data: For effective governance of data, people who use the data should understand the sensitivity of this data. For example, if you look at an infrastructure management company, it may have around 1,000 servers. Out of these, 100 servers may have critical information which the people who are handling them may not be aware of. If no data governance or awareness process is created, these people can always say that they didn’t know there was a criticality there. Even when you see an incident response activity, once it is known that the information present is critical it can be prioritized in the database. So if any attachments or suspicious activity is seen from that particular server or database, you can prioritize the incident response plan.
4) Security: There are times when we need to transfer data to vendor partners, third-party users, testing teams, etc. Under the governance of data, we need to ensure that the third party to which we will transfer the data also has adequate security, that they are also aware of the sensitivity of the data, and that they will also handle the data in a similar manner.
5) Preservation of data: There are some regulations which mandate that you store data for seven years, others which suggest that you preserve the data for a year. So we have to formulate regulations according to the need. The data which must be preserved has to be in an encrypted form to avoid any kind of breach. In this case also governance of data is needed. Besides, for storage, there should be proper mention about how the data is going to be stored.
6) Disposal of data: As part of the governance of data, you should have clarity on how you will dispose the data. Whether it is a hard copy or a soft copy, there should be a clear understanding about how to dispose data. A higher-ranking team should validate this as part of your data governance strategy.
About the author: Sunil Varkey, CIPP, CISSP, CGEIT, is a senior security & privacy professional currently working for Barclays in Pune.
(As told to Anuradha Ramamirtham)