520 likes | 826 Views
Ensuring Data Governance for effective data privacy and security. Alan D. Duncan September 2013. A bit about me. Alan Duncan, Director of Data Governance, UNSW 21 years Information Management & Business Consulting EDS, KPMG, CPW, Acuma , Pelion, SMS
E N D
Ensuring Data Governance for effective data privacy and security Alan D. Duncan September 2013
A bit about me.... • Alan Duncan, Director of Data Governance, UNSW • 21 years Information Management & Business Consulting • EDS, KPMG, CPW, Acuma, Pelion, SMS • Scottish Power, United Distillers, O2, Astra Zeneca, Carphone Warehouse, Vodafone, Riyad Bank • Commonwealth Bank, NSW Roads & Maritime Services, Centrelink, OATSIH, NSW Family & Community Services, CASA, AMSA, FaHCSIA, DAFF, Navy… • Information-Management.com “Top 12 on Twitter” • Best supporting Actor, 2005 Barnet Drama Festival
Agenda • The capabilities required for an Enterprise approach to Data Governance • Regulatory requirements and compliance: privacy, security and openness • The relationship between Data Governance and Information Security • Achieving compliance in a cost effective manner
“The beginning of wisdom is the definition of terms” PART1: Capabilities for Enterprise Data Governance, sponsored by Socrates
Data Governance Principles Information is treated as a organisational asset and is readily available to support evidence-based decision-making and informed action. • We value – data and information as an asset and a strategic resource. Any information holdings will be appropriately protected. • We trust – in our information and each other. Access to and use of data should promote trust and confidence. • We share – information. Information is accessible, discoverable and transparent. • We re-use – information from specified authoritative sources (“single source of truth”)and is collected in a consistent manner. • We manage – information actively. Information is managed throughout its lifecycle and practices are standardised across the business. • We govern – information. We have formally assigned information owners and stewards with clear accountability.
Drivers for improved IM & DG… New information-processing technologies Capabilities to meet unmet business needs Agility to meet changing business demands? Market competition
Target state for Data Governance Evangelism, methods, joined up collection strategies & change management
Information Management Operating Model Enterprise Data Governance & Information Management Information Management Steering Committee Information Ownership & Stewardship (Resources) Information Management Competency Centre (Resources) Information Management Policies Framework (Controls) Data Quality Management (Process) Information Asset Management (Process) Master Data Management (Process) Metadata Management (Process) Records Management (Process) IM Solutions Implementation (Process)
Data Governance capabilities Information Services & Delivery Teams (e.g. IARO, FPM, Records, EDW) Facilitate, communicate, support, broker, arbitrate Data Governance Unit
Data Quality Management Data Quality Management, sponsored by Mark Twain “Get your facts first, then you can distort them as you please.”
Information Model: Level 0 Domains "When I use a word," Humpty Dumpty said in rather a scornful tone. "It means just what I choose it to mean - neither more or less.” Information Models & Business Glossary, sponsored Lewis Carroll
Information Asset Management System Interfaces map Information Asset Register (inventory) “Science is organized knowledge. Wisdom is organized life.” Information Asset Management, sponsored by Immanuel Kant
Common principles, methods & standards “Whosoever desires constant success must change his conduct with the times.” Continuous improvement, sponsored by Niccolo Machiavelli
Data Governance structures “It is not only what we do, but also what we do not do, for which we are accountable.” Formal accountability and decision-making, sponsored by Moliere
A word on Information Delivery Services… Data Governance / Information Management Sponsoring Group Data Governance Strategy & Roadmap
Evidence-based decision-making, sponsored by Carl Sagan TALKING POINT “I try not to think with my gut. If I‘m serious about understanding the world, thinking with anything besides my brain, as tempting as that might be, is likely to get me into trouble.”
PART 2:Impact of regulatory requirements, sponsored by Winston Churchill “All I want is compliance with my wishes, after reasonable discussion.”
2. Implications of regulatory requirements • The legislative agenda • Implications • Privacy • Sensitivity • Openness • The Cloud? • Bottom line
There’s a lot of legislation! • Freedom of Information Act 1982 (Cth) • Freedom of Information Amendment (Reform) Act 2010 (Cth) • Privacy Act 1988 (Cth) • Privacy Amendment (Private Sector) Act 2000 • Privacy Amendment Act 2012 (Cth) • Privacy Amendments (Privacy Alerts) Bill 2013 (Cth) • State Records Act 1998 (NSW) • Government Information (Public Access) Act 2009 (NSW) • Privacy & Personal Information Protection Act 1998 (NSW) • Health Records & Information Privacy Act 2002 (NSW) • NSW Government Guide To Labelling Sensitive Information 2011 (NSW Financial & Services) • Australian Government Cloud Computing Strategic Direction 2011 (AGIMO) • Australian Government Cloud Computing Policy 2013 (AGIMO)
Implications - Privacy Based on NSW State Privacy Principles (per PPIP Act 1998): http://www.legislation.nsw.gov.au/maintop/view/inforce/act+133+1998+cd+0+N
Implications – Sensitivity/Security Based on NSW State information labeling standards: http://www.finance.nsw.gov.au/sites/default/files/backup_migrate/manual/Labelling%20Sensitive%20Information%202011.pdf
Is “Open Data” a good thing? http://www.ted.com/talks/tim_berners_lee_the_year_open_data_went_worldwide.html
What about “The Cloud”? In principle, it’s just another place to store data, so the security principles apply….
But the Uncle Sam has other ideas… US Patriot Act 2011 US Foreign Intelligence Surveillance Act (FISA) 1978 FISA Amendment Act of 2008 Protect America Act of 2007 It is suggested that data of sensitivity classifications X-IN-CONFIDENCE, PROTECTED and HIGHLY PROTECTED are not stored in public cloud-based solutions (Google, Dropbox, iCloud etc.)
TALKING POINT “Three can keep a secret, if two of them are dead.” “Need to know” principle, sponsored by Benjamin Franklin
“I’m not interested in preserving the status quo; I want to overthrow it.” PART 3: The relationship between Data Governance and Information Security, sponsored by Niccolo Machiavelli
3. Relationship between Data Governance & Information Security • Information Asset Management • Know what you’ve got! • Know who’s responsible for it. • Data Classification • Know the implications • Security delivery • Implementation of security controls • Partnerships & accountability
Aligning info assets with businessoutcomes System Interfaces map Information Asset Register (inventory) The “Information Asset Community”
Data Ownership & Stewardship Business Process Business Process Business Process Business Process Business Process NB Risk Point: Owner of data acquisition process may not be the most appropriate owner for the information asset! Information Stewards Chief Steward & IMCC (cross-functional, cross domain)
TALKING POINT “The deepest sin against the human mind is to believe things without evidence.” Evidence-based decision-making, sponsored by Aldous Huxley
“The art of government is to make two-thirds of a nation pay all it possibly can for the benefit of the other third.” PART 4: Compliance in a cost-effective manner, sponsored by Voltaire
4. Achieving compliance in a cost-effective manner Delivering information value Shared planning Data lifecycle and SDLC
“True Facts”: Data Governance and Information as a Service • Identify measurable and targeted Business Outcomes • Why do we need information? For whom? What will we do differently? • Confirm the Information Holdings & Gaps • What do we need to provide? (Content+ Context) • Establish DG Operating Model • Who is accountable? By what processes? • Implement DG/IMCC Services Catalogue: • What core capabilities do we need? • Execute Activities & Tasks • How do we deliver? Who does the work?
Tracking the value: Information Benefits Register Information Benefits Case monetises the expected value to derive from standing up the IMCC/DG capability Institutional reputation and compliance issues are benefitted through avoiding or mitigating risk Information value to IT is typically characterised by improvements in efficiency Information value to Business is characterised by improvements in effectiveness
Linking of Data Governance Lifecycle & SDLC Specific and explicit milestones mapped into the Business Operating Model & SDLC
Collaboration & knowledge sharing, sponsored by Lao Tsu FINAL THOUGHTS “Respond intelligently even to unintelligent treatment.”
“What I tell you three times is true.” Consistency of messaging, sponsored by Lewis Carroll
Further reading And of course http://www.informationaction.blogspot.com.au/ !