Throughout my cybersecurity career, I’ve worked closely with teams aiming to collect more data and break into new markets that require different types of data. These pursuits have led to in-depth conversations about the risks of more data versus the rewards of the market opportunity.
One thing from those experiences has become clear: To mitigate the risk in today’s data-driven world, prioritizing data governance and security is a must. Of course, data governance and security is made more challenging by the increasing complexity and volume of data.
That’s where frameworks come in: Providing a structured approach to managing data governance and security, ensuring organizations have the necessary policies, procedures, and controls to manage their data assets effectively, intentionally, and with less overall risk.
In this analysis, we’ll explore different data governance and security frameworks, how to choose the proper framework for your organization, and I’ll walk through a proven methodology to implement a framework. My goal is to prep security teams to effectively evaluate and handle the emerging challenges their organizations face around data.
Which companies are the most important vendors in cybersecurity? Check out
the Acceleration Economy Cybersecurity
Top 10 Shortlist.
Frameworks for Data Governance and Security
There are several frameworks — align with both data governance and security requirements — that organizations should explore. (It may be worth noting almost every type of technical work has a corresponding standard framework). Here are a few frameworks pertaining specifically to governance and security:
- International Organization for Standardization/International Electrotechnical Commission 27001 (ISO/IEC 27001): This standard is a globally recognized framework for managing information security. It systematically manages confidential or sensitive information, including financial information, intellectual property, and employee details. It includes a risk management process that helps organizations identify and manage risks to their information assets.
- The National Institute of Standards and Technology (NIST) Cybersecurity Framework: The NIST Cybersecurity Framework is a voluntary framework, unlike some of those industry-specific frameworks like Health Insurance Portability and Accountability Act (HIPAA) or the Payment Card Industry Data Security Standard (PCI-DSS), that provides guidelines for organizations to manage and reduce cybersecurity risks. It includes five core functions: Identify, Protect, Detect, Respond, and Recover. The framework is designed to be flexible, adaptable, and scalable to meet the needs of different organizations.
- The Center for Internet Security (CIS) Controls: The CIS Controls are a prioritized set of actions that organizations can take to improve their cybersecurity posture. The controls provide a roadmap for implementing cybersecurity best practices and are designed to be flexible and adaptable to different organizations.
- Control Objectives for Information and Related Technology (COBIT): COBIT is a framework for the governance and management of enterprise information technology. It provides comprehensive controls, processes, and policies for managing information and technology assets. It also includes a governance framework to ensure the organization’s information technology (IT) strategy aligns with its overall business objectives.
As the details above indicate, there are numerous applicable frameworks and this list is far from exhaustive. Many security and privacy frameworks touch loosely on data governance while simultaneously addressing related processes and technologies. All of this noise makes it challenging to figure out what “right” means. We’ll explore that exact question in the next section.
3 Factors In Choosing a Framework
Choosing the right framework for your organization can be challenging. This is not only because there are so many choices, but also because there isn’t any gold standard; even from the perspective of a buyer of your products or services, they often all use or reference different standards. Here are some factors to consider:
- Industry-specific drivers: Organizations in regulated industries may need to comply with specific rules or standards, such as HIPAA or PCI DSS. Choosing a framework that aligns with the relevant regulations is critical in these cases. Suppose you’re operating in an industry that manages consumer data, and you’re not aligned with the associated privacy rules like General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). In those case, violations can result in financial penalties or attention from auditors.
- Organizational size and complexity: Larger organizations may require more comprehensive frameworks, while smaller organizations may need more straightforward frameworks that are easier to implement. An example might be moving from SOC Type 2, a security-focused compliance standard with minimal control areas, to HITRUST, which is more robust and comprehensive.
- Real and opportunity cost: Building on the point above, you need to think hard about adopting an optional framework that is going to require a lot of work to align with. This can be beneficial from a go-to-market and risk management standpoint, but you have to consider what other work you’re giving up when making this choice. Everything is a balance.
4 Steps to Implement a Framework
Once you’ve chosen a framework, the next step is to implement it. Your framework’s particular requirements will naturally drive the work of implementation. Here are critical steps to follow:
- Assess current practices: Assess your data governance and security practices to identify areas for improvement. This may involve conducting a risk assessment, reviewing policies and procedures, and interviewing stakeholders. Finding all those places where you’re already partway there will help you avoid duplicative work, so you can simply document and map existing work to the framework and focus on the remaining work that isn’t yet done.
- Define policies and procedures: Use the framework to develop policies and procedures that align with your organization’s needs. This may include defining data classification, access controls, incident response, and data retention policies.
- Train and spread awareness: Ensure employees are trained on the new policies and procedures to understand their responsibilities and comply with the framework. Training and building awareness are essential elements of distributing the workload.
- Monitor and improve: Continuously monitor and improve your data governance and security practices to ensure that they remain effective. This may involve periodic risk assessments, reviewing policies and procedures, and incorporating stakeholder feedback.
Concluding Thoughts
Frameworks and compliance can sometimes be considered dirty words. However, they can help organizations identify risks, develop policies and procedures, and ensure data is managed effectively and securely. By choosing the proper framework for your organization, tailoring it to your specific needs, and implementing it effectively, you can ensure that your organization’s data is well-governed and secure.
Remember, implementing a framework is not a one-time project but an ongoing process that requires continuous monitoring and improvement. By prioritizing data governance and security and adopting a structured framework, you can manage your data assets effectively and mitigate the risks of data breaches and cybersecurity threats.
Want more cybersecurity insights? Visit the Cybersecurity channel:
