Data and information governance: Getting this right to support an information security programmeRuth Robertson, Cardiff University

1/11/2016

Data and information governance: Getting this right to support an

information security programme

Ruth RobertsonDeputy Director, Governance Team

Data & Information Governance Programme ManagerCardiff University

The journey

Information security framework

Data & information management framework

Information Security Framework Vision

The University will operate in a manner where security of information is balanced with appropriate accessibility of that information….

…providing the optimum level of risk management to support the University’s strategic goal of being a world leading institution.

Policies

Roles and ownership

Processes

Defined terms

Tools

Training & awareness

Procedures

Information Security Framework – protect information assets from threats to confidentiality, integrity and availability

Data management -control, protect, deliver and enhance the value of data and information assets

Governance

Data Management Model

Data Governance Data Management

Data Architecture Business Intelligence

Defined accountability framework, strategy, roles, responsibilities, policies and procedures

Consistent view of data landscape: definitions, standards, principles and models

Data Management

Principles

Information lifecycle management, Shared Data management, measuring and improving data quality, Data management problem resolution

Capability to use data to inform operations and strategy and to optimise performance

Data Management Principles

Data is a valuable shared resource• Data is a University asset, shared across University

functions and organisations for multiple purposes and managed appropriately throughout its lifetime

Rationale• Data is a key strategic resource supporting all of the

University functions and must be managed in a fashion that creates most value for the University as a whole

• Subject to legal and regulatory commitments, data is of most value when it is shared and reused. Protection of the University's data against loss, leakage and tampering is of critical importance.

Changes to roles and responsibilities

• Information assets > data domains (plus)

• Information asset owners > Data Leads (plus)

• Data stewards > System Owners (Business)

• Data custodians > System Owners (Technical)

Data & information governance goals

• To define, approve and communicate data management and information security strategies, policies, standards, architecture, procedures and metrics

• To manage information security risk and resolve data management issues

• To understand and promote the value of data and information assets

• To oversee conformance with the above and provide a mechanism to manage necessary exceptions

Governance bodies

Data & Information Management Oversight Group

Senior Information Risk Owner

Senior System Owners, University Data Steward & Data Leads

Head of IT Architecture Data Architecture Group

IT Technical Design Authority

University Data Steward

Membership Categories & Entitlements

Group

Senior Systems Owner (Technical)

Management of information assets

Data Domains Information systems

End user devices

People

Responsible owners

Data Leads Senior SystemOwners (Technical & Business)

Colleges/ Schools/DeptsIndividual members of staff

Human ResourcesLine managers

Types of security controls applied

Classification;data use principles; permitted use policy, processes and procedures

Technical design and configurations; access control policy, processes and procedures

Technical configurations; acceptable use policy, processes and procedures

Vetting; training and awareness raising;behavioural policy, processes and procedures

Current state

• Data & Information Management Oversight –wide scope

• Getting to grips with roles and applying checks and balances – digital workplace system business owner

• Developing data model and classifying data as we go

Questions?