Guest Post - Sasenka Abeysooriya - Data governance is essential to cyber security

Thanks to my colleague Sasenka Abeysooriya for kindly contributing his expertise and time to write an article on data governance and its importance to cyber security.  Sasenka not only is an expert in data governance, but also a keen supporter of the community. He is on the Board of Directors of Put Them First a not-for-profit organisation committed to enhancing the alternative care system for young children.

[image credit  Tianyi Ma]

Cyber security is getting a lot of publicity in recent years. Ever-more sophisticated cyberattacks involving malware, cross-site scripting, denial of service and other attacks have placed organisations big and small at constant risk. Even unsophisticated attacks like phishing have continued to advance and evolve over the past few years, and cause organisations problems on a daily basis. In January 2019, Australia’s Parliament House was compromised by one simple click of a mouse and punched a digital hole in what should have been one of the country’s most secure Information Technology (IT) systems.[i]

As concerns about cyber threats have grown, businesses are making greater investments in developing business continuity plans in the event of a cyber-attack and purchasing cyber insurance policies. Worldwide spending on cyber security is forecasted to reach $133.7 billion in 2022[ii].

An increasing number of organisations have invested in incident response capabilities. Organisations have a number of individuals dedicated to analysing traffic flows and monitoring for cyber-attacks. These types of roles have proven to be effective in many situations, as it can minimise downtime, increase customer trust, consequently yielding financial advantages. They are often intimately involved with IT application and infrastructure teams to inform the type of security controls necessary to keep the organisation safe from cyber threats.

In recent years, we have seen a shift in security investments from threat prevention to threat detection. This requires an investment in security operations centres (SOCs) as the complexity and frequency of security alerts grow. According to Gartner, by 2022, 50 percent of all SOCs will transform into modern SOCs with integrated incident response, threat intelligence and threat-hunting capabilities, up from less than 10 percent in 2015.[iii]

But in many organisations, there are still some fundamental questions unanswered. Questions such as;

• What are we ultimately protecting?
• When have we applied enough security controls?
• Who should be accountable and/or responsible?

Understanding cyber security

To answer these questions, it is important to understand what cyber security is. Cyber security refers to a set of techniques used to protect the integrity of an organization’s security architecture and safeguard its data against attack, damage or unauthorised access.[iv] At its core, cyber security involves protecting data from cyber threats.

Data is a valuable resource. According to The Economist, the world’s most valuable resource is no longer oil, but data[v]. Therefore, it would only make sense that the minimum security requirements are informed by the type of data that needs to be protected. That determination is commonly made by performing a risk assessment and looking at the confidentiality, integrity and availability, also known as the CIA triad.

The CIA triad considerations are outlined below.

Data Confidentiality – Ensure the data is only accessible to authorised consumers. Consider the risks associated with unauthorised or inappropriate disclosure of the data.

Data Integrity – Ensure the quality, completeness and accuracy of the data. Consider the risks associated with changes to the data.

Data Availability – Ensure the data is available in the right format when it is needed. Consider the risks associated with data not being available or accessible.
Accountability for data

What happens more often than not, is that an organisation’s IT department, responsible for the management and maintenance of information systems, are also expected to determine the above CIA criteria specific to data and to implement what they deem to be appropriate safeguards.

This is often a sign that the roles and responsibilities for data within an organisation are not well understood. In most circumstances, the business subject matter experts are in a better position to answer the questions in relation to the confidentiality, integrity and availability requirements for the data.

Data governance can help with this. Clearly defined decision rights across an organisation is a key enabler of good data governance to support efficient decision making regarding the management of data through its lifecycle. Data governance roles and responsibilities exist to champion the vision for data management, build a data aware culture and ensure the right data is leveraged to achieve value across the organisation. The recommended governance roles and responsibilities crucial to the overall collection, management and use of data are listed below.

• Data Owner - has enterprise level authority and accountability under legislation for the collection and management of the organisations’ data. There can only be one Data Owner and this is most commonly the head of an organisation such as the CEO.
• Data Domain Custodian - is responsible for defining and implementing safeguards to ensure the protection of data. This must be done in accordance with the policies, procedures and rules approved by the Data Owner. There can be multiple Data Custodians within an organisation, but only one Data Custodian can be assigned to a single ‘data domain’. Examples of data custodians and domains are; Chief Financial Officer for finance data, Chief Human Resources Officer for human resources data, Chief Marketing Officer for marketing data, Head of Research and Development for research data etc.
• Data Steward – is responsible for the quality, integrity and use of datasets on a day-to-day basis. A Data Steward may manage multiple datasets. They are responsible for applying relevant policies, procedures and rules, including applying information security classifications and safeguarding the data from unauthorised access and abuse. There can be multiple Data Stewards within an organisation, but only one Data Steward can be assigned to a single ‘data sub-domain’. Taking the finance domain as an example, the sub-domains could be; budgeting data, forecast data, invoice data etc.
• Information Technology Service Providers - provide support to embed and implement governance controls and processes. This group includes the technical teams that provide system support and manage access to data including information systems.

Five knows of cyber security

Both data security and data governance share one common objective; protecting the organisation’s data. Data governance is a fundamental part of security. It ensures that the right people have the right access, whilst data security makes sure that enterprise data is safeguarded.

The ‘five knows of cyber security’[vi], developed by former Chief Security Officer; Mike Burgess from Telstra, addresses five key questions that each organisation should be able to answer in relation to its data.

1. Do you know the value of your data?

2. Do you know who has access to your data?

3. Do you know where your data is located?

4. Do you know who is protecting your data?

5. Do you know how well your data is protected?

The questions above highlight the fact that data is central to cyber security. Data governance enables an organisation to answer these questions and therefore becomes central to effective cyber security controls.

The five knows of cyber security represents a significant shift in focus - from a technology discussion to one where senior management can engage in and contribute to the effective management of cyber security risk.

Although less about cyber security and more about data governance, The University of Queensland (UQ) has added one additional question to the list above as part of their Enterprise Data Governance Program. They included; ‘Do you know the quality of your data?’ This relates to data integrity, but is not always a security related concern.
Information security classification

Based on the confidentiality, integrity and availability requirements, a better understanding can be gained on the sensitivity and risk associated with a dataset. Based on that understanding, an information security classification can be assigned.

For instance:

• Data published on an organisation’s website outlining product and service information is classified as ‘public’ data.
• Data about the organisation’s employees, which includes personally identifiable information (PII), is most likely classified as ‘sensitive’ data.
• Data about a research project involving national security is most likely classified as ‘protected’ or ‘top secret’ data.

Understanding the information security classification of an organisation’s datasets is critical to informing cyber security controls. Controls can be categorised in a number of ways. For example, for sensitive datasets the following security controls might apply:

Enterprise-wide governance controls and processes

• A Data Steward must be assigned to each dataset
• A Data Steward must authorise access before access to a dataset is granted

Security and access controls

• Users must be vetted before gaining access to the data
• Multi-factor authentication must be used to gain access to the data

Storage and infrastructure controls

• Storage solution must have data encryption capabilities
• Data must be stored on infrastructure that is onshore

Data Stewards are the subject matter experts when it comes to the data and the associated values and risks. They have a better understanding of who should have access to the data (confidentiality), understand risks of data not being accurate (integrity) and any impact associated with the data not being available (availability).

Although it is sensible that Information Technology Service Providers provide input to security controls, it should ultimately be Data Custodians and/or Data Steward who make the final decision. Some notable reasons for this include that security controls come with an associated cost and may impact user experience. The business must ultimately own the decision to accept or mitigate business risk and decide how much it wants to invest in protecting its datasets.

Conclusion

Data governance is essential to cyber security. In order to protect against threats, organisations need to know what data to protect and how best to protect it. Data governance allows an organisation to identify its high value, high-risk datasets and allocate additional resources to protecting the data if necessary.

Note: This article was written to highlight the relationship between data governance and cyber security. The article has left out some other important aspects of data governance such as policies, metadata, master data, data literacy etc.

---

[i] https://www.abc.net.au/news/2019-11-15/cyber-attack-thwarted-on-parliament-house/11706444

[ii] https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019

[iii] https://www.gartner.com/en/newsroom/press-releases/2019-03-05-gartner-identifies-the-top-seven-security-and-risk-ma

[iv] https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-security

[v] https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data

[vi] https://www.telstra.com.au/content/dam/tcom/business-enterprise/security-services/pdf/5-knows-of-cyber-security.pdf

---------------------------------
Author:                         Mr Sasenka Abeysooriya
Position title:                Senior Strategic Adviser (Data Strategy & Governance)
Organisation:               The University of Queensland