Data Governance

Monday, January 6, 2025

Proactive Digital Security Practices for the Betterment of SMEs

What is omnipresent in the realm of the digital world? The digital world does not exist without data. Why? Beyond the physical realities of the physical world, entrepreneurs within Canadian SMEs must also coexist with the virtual realities and omnipresence of data in the virtual world. As pieces of information that are collected from multiple sources and stored for reference, analysis and decision-making, data is essentially the raw facts, figures and details that, when properly processed, can provide insights and knowledge1. Data is everywhere: it is the temperatures reading from a meteorological station, the text messages we send and receive, the videos we watch via diverse platforms, the emails we exchange with one another, the material and comments we post on social media, and even our heart rate recorded by a fitness tracker or the results of an ECG stored within a medical device used by a hospital.

Considered basically as the building block of information and knowledge, data is characterized by its nature, forms, types and purposes. Nature: data can be qualitative (descriptive information) or quantitative (numerical values). Forms: data can be produced in many forms such as texts, numbers, images, audio and video contents. Types: data is often categorized as structured (i.e., organized in a predictable format like most databases), or unstructured (i.e., lacking a fixed format, like email content), or semi-structured (i.e., a mixture of both structured and unstructured formats like emails, XML or JSON files). Purposes: when processed and analyzed, data serves various purposes, providing insights that aid in making informed decisions, solving problems, and generating new knowledge. Essentially, data is the raw material that, when correctly collected and handled, transforms into valuable information applicable across numerous fields and applications.

In order for Canadian SMEs to better manage their data, we are offering some guiding steps toward effective data governance. How can entrepreneurs working daily in organizations apply proactive data governance practices for the betterment of their respective SMEs? Substantiated by the know-how synopsized from the elemental ressources2,3,4,5,6,7,8 referenced in the footnotes of this document, this December 2024 Newsletter offers multi-factorial answers to that fundamental question and explains the multilayered practicalities of data governance.

1 Government of Canada. Treasury Board Secretariat Corporate Reports. Government in a Digital Age. 2023 –2026 Data Strategy for the Federal Public Service: Digital Government Innovation Enabling Interoperability. Government of Canada Official Publications. https://www.canada.ca/en/treasury-board-secretariat/corporate/reports/2023-2026-data-strategy.html

2 National Institute of Standards and Technology (NIST). U.S. Department of Commerce. NIST Internal Report—NIST IR 8496, Data Classification Concepts & Considerations for Improving Data Protection. Initial Public Draft, November 2023, 17 pages   https://nvlpubs.nist.gov/nistpubs/ir/2023/NIST.IR.8496.ipd.pdf

3 Harvard University. PrivSec – Information Security and Data Privacy. The Data Lifecycle. Cambridge, Massachusetts, USA. https://privsec.harvard.edu/data-lifecycle

4 Oleg Gusikhin, Slimane Hammoudi & Alfredo Cuzzocrea (Editors). Data Management Technologies and Applications: Conference Proceedings, 12th International Conference, DATA 2023, Rome, Italy, July 11–14, 2023, Revised Selected Papers. Published on the 6th of September 2024, Springer Nature Academic Publisher, German-British Publishing Company, headquarters: London, United Kingdom, 242 pages. https://link.springer.com/book/10.1007/978-3-031-68919-2

5 K. Selçuk Candan & Maria Luisa Sapino. Data Management for Multimedia Retrieval: Knowledge Management, Databases and Data Mining for Computer Science, Software Engineering and Development. Print Hardcover Edition of July 2010 and Online Edition of July 2014, Cambridge University Press, Cambridge, United Kingdom, 500 pages. https://www.cambridge.org/core/books/data-management-for-multimedia-retrieval/F0DCC5CDA740E5ADE1F6E6028A706BA2

6 Harvard University. PrivSec – Information Security and Data Privacy. Data Classification Table – Administrative Examples. Cambridge, Massachusetts, USA. https://privsec.harvard.edu/data-classification-table

7 David Feng, W.C. Siu & Hong Jiang Zhang (Editors). Multimedia Information Retrieval and Management: Technological Fundamentals and Applications. Paperback Edition published on the 15th of December 2010, Springer Nature Academic Publisher, German-British Publishing Company, headquarters: London, United Kingdom, 476 pages. https://link.springer.com/book/10.1007/978-3-662-05300-3

8 Ravi Jay Gunnoo. Cybersecurity Education Compendium: Harnessing Digital Safety Best Practices Across the World. 1st Edition published in Paperback—Large Print Format and e-Book Version. Publication date: the 18th of September 2024. Publishing Company: Amazon Publishing, Seattle, State of Washington, USA, 728 pages. https://www.amazon.ca/CYBERSECURITY-EDUCATION-COMPENDIUM-Harnessing-Practices/dp/B0DF6NPLFS/

Data Governance: Implementation Steps

Implementing data governance goes beyond mere compliance; it is about utilizing data as a strategic asset to foster business growth and innovation. To achieve effective data governance, follow the steps below:

  1. Establish a data governance policy.
  2. Inventory the data, including determining its classification.
  3. Manage the data throughout their lifecycle.

1. Establish a Data Governance Policy: Constitutive Elements

Creating a data governance policy for SMEs is essential to ensure data accuracy, security, and regulatory compliance. This policy encompasses a comprehensive set of rules and guidelines aimed at guaranteeing that an organization’s data is properly inventoried, classified, and managed. It outlines the procedures for handling data throughout its lifecycle, ensuring its integrity, availability, and confidentiality.

What are some of the constitutive elements to include within a data governance policy?

  • Data Governance Objectives: Clearly define the goals of your data governance initiative, its importance and its applicability within your SME, such as improving data quality, ensuring compliance, and enhancing data security.
  • Roles and Responsibilities: Assign specific roles for data governance, including data stewards, data owners, data custodians, IT staff and end users. Ensure everyone understands their responsibilities.
  • Data Standards and Procedures: Establish standards for data collection, storage, usage and sharing. This includes data classification, naming conventions, data formats, and metadata management.
  • Data Quality Management: Implement processes to ensure data accuracy, completeness, and consistency. Regularly monitor and measure data quality.
  • Data Security and Privacy: Define measures for data protection, including encryption, Data masking, anonymization, data loss prevention, access controls, and compliance with privacy regulations like the Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial law such as Quebec Act 25.
  • Data Lifecycle Management: Outline how data will be captured, stored, shared, archived, and disposed of. Ensure data is retained only as long as necessary and disposed according to laws and regulations.
  • Training and Communication: Develop a training program to educate employees on data governance policies and best practices. Regularly communicate updates and changes.

2. Inventory the Data: Meaning and Practical Steps

Defined in a few words, data inventory is the all-inclusive cataloguing of the data resources of an organization. It involves identifying, classifying, and documenting data supplies to ensure proper data management, security and compliance. Creating and maintaining a data inventory consists of several practical steps to ensure that all data assets are precisely tracked and managed. A data inventory helps organizations know what data they have, where it is stored, and how it is used and exploited. Summarized hereunder is how you can develop a comprehensive data inventory:

  1. Identify Data Sources: Start by listing all the sources of data within your organization. This includes databases, file systems, cloud computing storage, applications such as a cloud base CRM or accounting system, source code repository and any other systems where data is accumulated.
  2. Catalogue Data Assets: Create a catalogue of all data assets. For each asset, document strategic details such as:
    • Name and description.
    • Location e.g., physical location, cloud.
    • Data owners or custodians.
    • Data type e.g., structured, unstructured, or semi-structured.
    • Classifications (see below for a complete description)
    • Formats e.g., CSV, JSON, XML, etc.
    • Personal Identifiable Information (PII)

Depending on the size of your organization and the volume of data managed, various tools can automate specific steps of the process. These tools assist in discovering, cataloguing, and maintaining data assets efficiently. They often leverage artificial intelligence and metadata to facilitate the management and control of these assets.

Data ownership is a crucial element of the catalogue, assigning accountability for the control, access, and usage of data. It defines who has the authority to make decisions about data, including who can access it, how it can be used, and how it should be monitored. The custodian is also responsible that the data governance complies with industry standard and government laws, such as the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec Act 25.

Another key element of the catalogue is the classification component. Concisely speaking, data classification is the process of organizing data into categories that make it easier to manage, protect and use. This practice helps organizations understand and control their data by assigning labels based on the data’s level of sensitivity, importance and intended usage. The data owner is responsible for this component. Hereafter are the main aspects of data classification:

  • Data risk Management: By assessing the risks connected with their data, organizations can better classify their sensitive information, and implement adequate cybersecurity measures. The risk is often assessed with regards to the following criteria:
    1. Confidentiality—if the data is disclosed, does it have an impact;
    2. Integrity—if the data is not always correct, does it have an impact;
    3. Availability—if the data is not always available, does it have an impact.
  • Data sensitivity level: Data is classified according to its sensitivity and the potential impact of disclosure. Common categories of data confidentiality include:
    1. Public: Information that can be freely shared without risk;
    2. Internal: Data intended for usage within an organization only;
    3. Confidential: Highly sensitive information that requires strict access controls because of privacy. For example: personal data, online banking logging credentials, trade secrets, etc.
  • Data Types: Different data types might have different classification requirements. For example:
    1. Personal Data: Information about individuals that can be used to identify them (i.e., names, residential addresses, phone numbers, social security numbers, etc.).
    2. Financial Data: Information related to financial transactions and bank account details.
    3. Medical Data: Health-related information that must comply with regulations like HIPAA in the US.

In brief, data classification is a foundational component in securing and managing data competently. It helps organizations to prioritize their security efforts, allocate resources efficiently, and ensure fulfillment of governmental, legal and regulatory requirements.

3. Manage the Data: Demarcation and Major Components

Succinctly explained, data management is the practice of storing, organizing and maintaining data to ensure its accuracy, availability and security throughout its lifecycle. This encompasses a variety of processes and activities designed to help organizations make the most of their data assets. Abridged below are the major components of data management:

  • Data Storage: Ensuring that data is stored in a secured and organized manner. This involves selecting appropriate storage solutions such as databases, data warehouses and the appropriate location such as locally, cloud computing storage located in the country or internationally. These decisions should take into account the volume, velocity, variety of data.
  • Data Quality Management: Ensuring the accuracy, completeness, consistency and reliability of data. This involves data cleaning, validation, and enrichment processes to maintain high data quality standards.
  • Data Security: Safeguarding data from unauthorized access, prying eyes, breaches, and other cybersecurity threats involves several key measures. These include configuring restrictive access controls, implementing encryption, anonymization, data masking, data leak prevention, and other cybersecurity strategies to ensure data protection.
  • Data Backup and Recovery: Creating copies of data to prevent loss due to hardware failures, cyber-attacks, or other disasters. Data backup, recovery plans and regular testing ensure that data can be restored quickly and accurately.
  • Data Lifecycle Management: Managing data from its creation through its deletion. This involves setting retention policies, archiving data, and ensuring that data is disposed of securely when it is no longer needed.
  • Data Incident Response: Develop a comprehensive incident response plan (IRP) to quickly address any data breaches or security incidents. This IRP should include steps for containment, eradication, recovery and post-incident analysis.
  • Data Awareness Training: Educate employees about cybersecurity best practices and the importance of protecting data. Regular training sessions can help prevent human errors that could lead to data breaches.
  • Data Monitoring and Logging: Continuously monitor access to sensitive information and users’ activities. Implement logging to track and analyze security events.
  • Data Physical Security: Protect physical access to server rooms and storage devices to prevent theft or tampering.

Effective data management enables organizations to maximize the value of their data, improve decision-making, ensure compliance, and protect against data breaches and cybersecurity incidents. It is a foundational element for any organization that relies on data to operate, innovate and expand its activities.

Understanding Data Life Cycle and Its Typical Stages

Data lifecycle refers to the different stages that data goes through from creation to disposal. Understanding the data lifecycle helps organizations in classifying, managing and protecting data successfully. What are the typical stages of data lifecycle? Here is a synopsis of the typical stages of data lifecycle:

  1. Data Creation: This is the initial stage where data is generated, designed and collected. It can come from various sources such as transactions, sensors, user inputs, surveys, etc.
  2. Data Storage: After data is created, it needs to be stored securely. This involves selecting suitable storage solutions like databases, data warehouses, or cloud computing storage to keep the data safe and accessible.
  3. Data Usage: During this stage, data is accessed, used for numerous purposes and shared. This is where the data provides value to an organization.
  4. Data Maintenance: Regular maintenance activities ensure that the data remains accurate, up-to-date, and relevant. This includes data cleaning, validation and updating records as necessary.
  5. Data Archiving: As time goes by, some data may no longer be actively used but must be retained for compliance or historical reference. Archiving moves this data to long-term storage solutions.
  6. Data Disposal: Finally, when data is no longer needed and has gone beyond its retention period, it should be disposed of securely. This necessitates deleting the data in a manner that ensures it cannot be recovered, thereby protecting sensitive information.

Each stage of the data life cycle requires careful planning and management to ensure data veracity, security and compliance with regulatory requirements. Proper handling at each stage helps organizations make the most of their data assets while minimizing risks.

How Can You Protect Your Data Sharing with External Parties?

Protecting data when sharing with external parties necessitates several beneficial practices to ensure that the data remains secure and confidential. Some effective measures are summarized as follows:

  • Data Sharing Agreements: Establish formal agreements with external parties that outline the terms and conditions for data sharing. These agreements should include confidentiality clauses and specify how the data can be used and protected.
  • Data Encryption: Use strong encryption methods to protect data both in transit and at rest. This ensures that even if data is intercepted, it cannot be read without the encryption key.
  • Access Controls: Implement strict access controls to ensure that only authorized individuals can access the data. Use Role-Based Access Control (RBAC) to limit access based on the user’s role and responsibilities.
  • Data Anonymization or Data Masking: Whenever feasible, anonymize or mask sensitive data prior to sharing. This process includes removing or obscuring details such as Personally Identifiable Information (PII) to minimize the risk of exposure.
  • Regular Audits and Monitoring: Conduct regular audits and monitor data sharing activities to detect and respond to any unauthorized access or suspicious activity.
  • Strong Authentication: Use multi-factor authentication (MFA) to verify the identity of users accessing the data. This adds an extra layer of protection beyond just a password.
  • Data Classification: Clearly classify data based on its sensitivity and implement corresponding protection measures. Ensure that external parties understand the classification and handling requirements.
  • Employee Training: Educate employees and external partners about best practices for data security. Regular training can help prevent accidental data breaches and ensure everyone understands their responsibilities.
  • Incident Response Plan (IRP): Have an IRP in place to respond to data encroachments or cybersecurity incidents involving external parties. This IRP should include steps for notifying affected parties and reducing the impact of the data breach.

By implementing these forward-moving measures, you can significantly reduce the risk of data breaches and ensure that your data remains safeguarded when you share them with external parties.

Conclusion

Implementing data governance is not just about compliance; it’s about leveraging data as a strategic asset to enhance cybersecurity and drive business growth. To achieve effective data governance in the context of cybersecurity, follow the steps hereafter:

  1. Establish a Data Governance Policy: Develop a comprehensive policy that outlines the principles, roles, and responsibilities for managing data securely within your organization.
  2. Inventory Your Data: Conduct a thorough inventory of your data, including its classification, to ensure proper handling, protection, and security measures are in place.
  3. Manage Data Throughout Its Lifecycle: Implement robust data management practices to oversee data from creation to disposal, ensuring its integrity, availability, and security at every stage.

By adhering to the above-mentioned steps, organizations can strengthen their cybersecurity posture, enhance decision-making, and drive innovation.

Resources and References

Contributions

Special thanks for the financial support of the National Research Council Canada and its Industrial Research Assistance Program (IRAP).

Executive Editor: Alan Bernardi et al.

Computer Scientist & Certified Translator-Reviser: Ravi Jay Gunnoo (C.P.T. ISO 17100)

In-Sec-M

283 Alexandre-Taché Blvd Suite F3006,
Gatineau, Quebec
J9A 1L8

info@insecm.ca