The sensitive data given to government agencies needs to be protected. That much is obvious. But how? And how to be sure it stays protected? How can data consumers and other stakeholders gain confidence in how that data is being managed?
This is where governance frameworks come in handy. Frameworks are essential tools for government agencies to ensure that sensitive data (e.g., personal information, financial data, health information) is managed properly. These frameworks provide a set of guidelines, processes, and controls that help governments to effectively and securely handle sensitive data, whether it relates to national security, citizen privacy, or other critical areas. The big benefit to frameworks in this setting is consistency across many data sources as government agencies are often large, sprawling, and complicated.
This analysis will cover several ways that government agencies leverage frameworks and why that matters to protect the sensitive data they’re entrusted with.
Which companies are the most important vendors in cybersecurity? Click here to see the Acceleration Economy Top 10 Cybersecurity Shortlist, as selected by our expert team of practitioner-analysts.
The National Institute of Standards and Technology Cybersecurity Framework
One of the biggest risks that governments face when it comes to sensitive data is the risk of data breaches and cyber attacks. This of course isn’t unique to the public sector. Where the data goes, the attackers go. The threat profile changes depending on the industry: In the government setting there might be insider threats, nation states, hackers, and the typical cybercrime groups. The supply chain attacks that occurred with SolarWinds and Log4J are good examples of threats to the public sector.
Governance frameworks are in place that can help the public sector to detect and respond to potential threats in a timely and effective manner. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is one such example. This framework provides a set of best practices for protecting sensitive data and systems from cyber threats. One of the most appealing parts of the Cybersecurity Framework is how it looks across different phases or functional domains to:
- Identify: Identifying and managing assets that exist in an environment)
- Protect: Protecting identified assets by implementing security controls and building resilience against attacks
- Detect: Detecting attempts to exploit or compromise an asset
- Respond: Responding to potential attacks or clusters or suspicious activity through investigative activity
- Recover: Restoring the environment back to its normal operating state)
The Cyber Defense Matrix is an extremely useful tool to apply across this framework through the lens of different asset classes, data being one of them. If you run a government agency or similar organization, you can go through this exercise with particular use cases in mind. For example, how do devices, applications, networks, and users all relate to and intersect with data across these functional CSF domains? Rank your capabilities on a Control Objectives for Information and Related Technologies (COBIT)-style maturity model and be as honest as possible. The insights will be enlightening.
Another important aspect of governance frameworks is access management for sensitive data. This is especially important for the public sector, as agencies often hold a large amount of personal data on citizens and need to ensure that this data is only accessed by authorized individuals. Access management is connected not only to industry compliance frameworks but also, in some cases, to regulatory requirements like FISMA. To properly manage and protect sensitive data, agencies should be applying and layering technical controls, such as access controls and authentication systems, and non-technical controls, such as policies and procedures.
In addition to managing access to sensitive data, agencies also need to ensure that the data is stored and transmitted securely. The governance framework provides the guardrails and guidance for how to make that happen. This is especially important when data is being transmitted over networks or through the cloud. Governments often use encryption and other security technologies to protect sensitive data in transit, and it may also implement additional controls, such as monitoring and detection systems, to ensure that the data remains secure.
Oversight of Data Governance Measures
The role of oversight and accountability is oftentimes overlooked with respect to data governance. Government agencies need to ensure that they have processes in place to monitor and review the management of sensitive data, and they need to hold individuals, teams, and entire organizations accountable for any breaches or failures to follow appropriate controls. Organizations in this context may be other agencies, contractors, or industry partners. This can include regular audits and assessments, as well as the implementation of penalties and sanctions for those who fail to comply with governance frameworks. This could also take the approach of producing metrics that attest to the adherence to certain controls and ensure that visibility into these metrics is provided to those who need it.
In addition to the technical and operational aspects of governance frameworks, there are also legal and regulatory considerations that need to be considered. Governments need to ensure that they are complying with relevant laws and regulations when it comes to the handling of sensitive data, and they may need to implement additional controls or procedures to meet these requirements. This can include issues such as data privacy, data retention, and data sharing.
Overall, governance frameworks are essential tools for government agencies and public sector entities to manage sensitive data effectively and securely. By providing a set of guidelines, processes, and controls, these frameworks can help governments to detect and respond to potential threats, manage access to sensitive data, and ensure that the data is stored and transmitted securely. This isn’t just about security, though, it’s about adhering to the expectations laid out by those the government agencies serve: members of the public. By implementing robust governance frameworks, governments can protect their citizens and their own operations from the risks associated with sensitive data.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: