Data Governance

Regardless of where you are within an IT organization’s staff, you should have some background with tools that enable you to detect and prevent attacks against your organization’s data. It may be unlikely that you control or influence enough of your company’s IT process to implement a complete security framework or security awareness program, but you can certainly advocate that one be implemented. Implementing data governance as a complete security framework trumps simply educating staff about the risks with a security awareness program.

Data governance is an emerging discipline in the IT industry. At present, data governance in many organizations means completely different things. The following sections discuss how you overcome resistance to, implement, and develop an ongoing culture of data governance.

Overcoming Resistance to Data Governance

Many companies resist data governance because they have an unspoken bias against security. The bias is often rooted in their employee perceptions that data governance restricts the employees’ ability to exercise day-to-day discretion over their job responsibilities. Database administrators and database engineers (DBEs) resist data governance policies because such policies negatively impact metrics that drive DBA and DBE direct or variable compensation. For example, DBAs and DBEs may receive a year-end bonus for achieving greater throughput and machine optimization, but data governance policies may make such achievements impossible. DBAs and DBEs also see anything that impedes their ability to optimize the database server as an obstacle to overcome. These are a few reasons why DBAs and DBEs see data governance policies as a hindrance to their work. While they should value data governance policies as helpful to their charter of securing the data, they often perceive them as attempts to block normal access to the database server.

Security measures are always intended to block unauthorized access to data, not to block normal maintenance access to data. Security should hinder intruders so that they can’t get to the data, but it should not overtly restrict normal business processes—such as tuning the database server. Unfortunately, security does erect barriers to normal and productive tasks. Overcoming resistance to these barriers is complicated because DBAs and DBEs keenly understand the following:

• Their business customers’ demands for information that is highly available and easy to access
• Their performance metrics for salary increases and bonuses

Management may recognize the reasons for DBA and DBE resistance to implementing data governance. It’s also widely known how often large, well-known software companies release to market products with known bugs and serious security vulnerabilities. Management also recognizes the pressure to implement these products quickly in their businesses. That pressure to implement newly released software can compromise a team’s adherence to security policies that screen for vulnerabilities. Hackers waiting to exploit these vulnerabilities are elated when DBAs and DBEs fail to guard against these vulnerabilities. 

Management’s conundrum is simple and generally based on a risk management model that weighs four things:

• The metrics assigned to DBAs and DBEs support their internal customers’ business requirements, and also support their management compensation plans.
• Bugs and security vulnerabilities threaten the viability of software solutions, and place at risk employee and management compensation pools.
• Senior management focuses on things managers can control and influence directly.
• Senior management’s lack of focus on quality and assurance leaves wiggle room for lapses in quality, which may translate to security vulnerabilities in application software, networks, and database deployments.

Managers seldom remove performance metrics as a factor in DBA or DBE compensation because motivating DBAs and DBEs to achieve certain metrics helps the managers to ensure that their units meet performance targets that directly affect the managers’ own compensation.” The managers’ risk assessment is a simple application of the principle of lost opportunity cost in economics. They must determine and weigh, “What is the lost opportunity cost of having a DBA or DBE fail against performance metrics?” and “What is the lost opportunity cost of having a DBA or DBE guarantee the security compliance of software before release?”

Management typically solves the conundrum when executive or senior management changes the subordinate unit’s metrics to reflect that a zero tolerance policy. A zero tolerance policy means that addressing security vulnerabilities trumps all other productivity issues. That means the unit managers must alter DBA and DBE metrics to focus their efforts on eliminating security vulnerabilities. Once executive or senior management makes such a decision, companies or corporations gain the ability to implement an effective data governance program.

Implementing Data Governance

Data governance is the process of managing the proper use, control, access, quality, security, and retention of company hardware and software. This includes compliance with all licenses and fair use requirements. 

Data Governance Unit

A data governance unit acts much like an inspector general’s office in a military or governmental organization. It is a central policy making and enforcement unit within a corporation, and it is managed outside of the normal chain-of-command. Day-to-day profit and loss responsibilities can’t let business units opt in or out of the program. The benefits of effective data governance can only be achieved when you implement it across the organization. A data governance unit should exercise complete authority and control over all of the organization’s data assets. 

The best approach is to leverage an existing organizational unit to implement a new data governance program. This suggestion follows the recommendation of Robert Seiner, one of the pioneers in data governance. Using an existing organizational unit promotes a less-intrusive impact to a company or corporation. As a practical matter, data governance should report through your chief counsel’s (or corporate law) office. 

Data Governance Process

Without getting too deep into the definitions and issues of data governance, this section describes the best practices necessary to make database security a reality in an organization. An organization lays the foundation for these best practices by ceding authority to a single entity to define, maintain, and audit compliance with corporate or company standards. 

All departments must be held to the corporate standard and should periodically and spontaneously be measured. Measurements should include having a paid hacker try to exploit services that should be secured by compliance against corporate policy. 

The governance process should adhere to a mission statement agreed upon by an executive committee that acts as the data governance board of directors. An executive commitment to data governance requires a long-range objective, such as: “All data stores shall be treated as confidential repositories and shall be secured against intruder access within two years.”

Tactical implementation would occur by establishing short-range objectives, like:

• Define, approve, and implement a data classification scale, process, and initiative to identify all confidential data stores before next fiscal year.
• Define, approve, and implement a database security policy before the end of this fiscal year.
• Define, approve, and implement a process for updating database security policies against new threats and vulnerabilities by the end of each fiscal year.

Accomplishment of the short-range objectives leaves you with the need to define integrated business metrics for future operating years. By way of example, you may implement the following key measures for your database security policy: 

• All security patches will be applied to all databases within one week of their availability.
• All databases will be deployed and administered in a secure area.
• All database audit logs will be reviewed daily by production, stage, test, and development DBAs.
• All database audit logs and daily activity will be collected and reported weekly to the stakeholder (or process holder).

Data Governance Compliance

You need a neutral method for collecting statistics across the organization. The best collection systems employ objective metrics and collect data points from multiple systems. Companies should implement this type of approach consistently across all units within the organization. 

Metrics should be reported to the unit, peer units, and stakeholders. Costs associated with implementing and managing data governance should become a cost of all Profit/loss units, and costs should be billed to individual cost centers on an accounting period-by-period basis.

Data Governance Reports

Reports for compliance should be measured two ways. One should ensure the process stability and the other the process improvement. Process improvement should be measured by monitoring compliance against an annual unit goal. Data governance reports should ensure both process stability and process improvement.

Compliance and noncompliance with the company or corporate standard should be reported. Compliance should be rewarded by the compensation model, and, by extension, noncompliance should be punished by the compensation model and subject to potential disciplinary action. 

Open access to metric information should be available to DBAs, DBEs, and their managers, but that access should be closely guarded. The data should measure actual performance against individual types of security vulnerabilities.

Data Governance Remediation

The data governance unit should develop and deploy tools that enable individual DBAs and DBEs to evaluate and fix any security vulnerability. Failure during periodic metric collection should lead to the engagement of the data governance unit as a mentor in acquiring and maintaining database security skills.

Developing a Culture of Data Governance

Developing a culture of data requires teaching staff about security and explaining the costs and benefits of the corporate data governance program. Like any change management process, developing a culture of data may require an internal marketing campaign and an initial award system for early adopters of the new security standards.

Initial awards, such as payment in cash or kind, are one type of incentive to adopt new security standards. Over time, you can also use punishment/fear (such as a salary deduction for noncompliance) and competition (for example, by measuring compliance with data governance procedures among distinct internal groups).

The Chief Information Security Officer should be the person who is responsible for using the summary report information to motivate groups and to report compliance/noncompliance to executive management.

While changing an organization’s general IT culture is a large and complex process, the return on investment is generally very positive. Likewise, it’s imperative to secure the data from intrusive attacks, and failure to do so isn’t an option.