What Is Data Governance, Why Does It Matter, and How Does It Play into CMMC?

By Dana Pickett
CISO
Edwards Performance Solutions

Data governance is the process of managing the availability, usability, integrity, and security of the data in enterprise systems, based on internal standards and policies that also control data usage. Effective data governance ensures data is consistent, trustworthy, and used properly. Before we explore its role in CMMC, let’s focus on the basics.

What Is the Point of Data Governance?

Data governance is a set of principles and practices that ensure high quality through your data’s complete lifecycle. According to the Data Governance Institute (DGI), it is a practical and actionable framework to help a variety of data stakeholders across any organization identify and meet their information needs.

How Important Is Data Governance for Your Company?

Data governance is a set of processes ensuring important data assets are formally managed throughout the enterprise. It also ensures trusted information is used for critical business processes, decision-making, and accounting.

What Are Some Core Principles of Data Governance?

The following are certain core principles that drive a successful data governance implementation:

  • Recognizing data as an asset. In any organization, data is the most important asset.
  • Data classification. The process of organizing data into categories makes it is easy to retrieve, sort, and store for future use. A well-planned data classification system makes essential data easy to find and retrieve. This can be of particular importance for risk management, legal discovery, and compliance.
  • Data ownership and accountability. In a successful data governance process, data ownership and accountability must be clearly defined.
  • Data retention. This is an important step in helping to protect an organization’s data and avoid financial, civil, and criminal penalties that increasingly accompany poor data management practices.

What Are the Business Drivers for Data Governance?

  • Regulatory compliance. This affects all organizations. At the lowest denominator, all organizations need to comply with their own country’s financial regulations. Then, there are regional data privacy regulations — some stricter than others. But noncompliance can end up costing the organization large sums of money, as well as bad publicity. This tends to be high on the list of data governance drivers because of the high risks and costs associated with noncompliance.
  • Data-driven decision-making. This is an umbrella for a few drivers, so you might see this simply as “implementing a business intelligence (BI) program.” Other times, you hear about starting data analytics or big data adoption — even improving overall efficiency and customer satisfaction. You should consider all of these under one driver, because they all fall into the idea of knowing the best decisions to make based on your company’s data.
  • Data quality. It all boils down to data quality — the reason why a lot of organizations point to this as the main driver. Even those who want to start a BI program, ensure regulatory compliance, become more efficient, increase customer satisfaction, and so on need to ensure the data is clean and accurate, as well as in agreement with the data quality dimensions that matter to the business.

If you don’t have good data quality, then you won’t know the right customer unsubscribed from your newsletters and you’ll continuing to send to them. You might overcharge someone, send inaccurate financials to the IRS, mislabel ingredients on a product, incorrectly categorize medical lab tests, or draw inaccurate conclusions from revenue projections. The state of your data quality can make or break everything — and, for this, you need good data governance.

What Is the Importance of Data Governance Within the CMMC Framework?

The concept of data governance is a focal point in the CMMC world. Identifying information as FCI, CUI, or CTI is crucial in knowing how to handle the information at hand and to be able to classify and label it accordingly.

Knowing how to classify your data is key in managing access control; as an example, AC.2.16, a level-two practice, talks explicitly about controlling the flow of CUI in accordance with approved authorizations. Knowing how to classify your data is key in knowing who in your organization is authorized to access CUI to manage their access accordingly.

  • Example 1: When it comes to data classification, companies should know in advance whether a team or SharePoint site will contain CUI data when it is provisioned. The community service team should be open to all personnel, and data about the unit’s volunteer opportunities should be widely shared. However, the unit’s readiness report is probably sensitive information. As such, it needs to be labeled CUI and live in a team site that is clearly marked as such. In other words, the community service team can be labeled public, while the readiness team should be labeled “Readiness – Restricted – CUI.”
  • Example 2: A good data governance policy includes a lifecycle management plan. Periodic reviews or certain events — for example, the end of a contract — should initiate an archiving process that may even include the deletion of the workspace. This eliminates sprawl and can reduce clutter, which in turn also reduces the attack surface of the environment. Data is a critical asset for every business, and it is a powerful asset when well-governed. Remember, ad-hoc approaches to how you handle your business data are likely to come back to haunt you. Data governance must become systematic, as big data multiplies in type and volume and people seek to answer more complex business questions. That means setting up standards and processes for acquiring and handling data, as well as procedures to make sure those processes are being followed. That said, achieving enterprise-wide data governance is not a trivial task. It makes sense to break that initiative down into more manageable steps.

Some things you should consider include:

  • Identifying current and desired data governance levels
  • Focusing on strategic quick wins to build support
  • Building toward the facets of a sound data governance framework or program

Most organizations do not have the people or the expertise to tackle such an important program. Involving a third party with the expertise to help you map out a data governance framework specific to your business and industry and let you decide how mature you would like that program to be over time is often critical for success.

 

 

This article was originally published by Edwards Performance Solutions. Dana Pickett serves as Edwards Principal of Cybersecurity and CISO. He is experienced in managing programs with a focus on both business and technical risk management for cybersecurity, audit, and privacy and compliance with diverse requirements. While being a member of various task forces for industry and state government cybersecurity, risk management, and compliance initiatives, Dana has proven to be effective in communicating to executive management, various senior executive boards and councils, and audit committees to achieve sponsorship and governance.

Other news