Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Data and information governance: getting this right to support an information security programme

Presentation from the Jisc security conference 2016

  • Login to see the comments

Data and information governance: getting this right to support an information security programme

  1. 1. Data and information governance: Getting this right to support an information security programme Ruth Robertson, Cardiff University 1/11/2016
  2. 2. Data and information governance: Getting this right to support an information security programme Ruth Robertson Deputy Director, Governance Team Data & Information Governance Programme Manager Cardiff University
  3. 3. The journey Information security framework Data & information management framework
  4. 4. Information Security Framework Vision The University will operate in a manner where security of information is balanced with appropriate accessibility of that information…. …providing the optimum level of risk management to support the University’s strategic goal of being a world leading institution.
  5. 5. Policies Roles and ownership Processes Defined terms Tools Training & awareness Procedures Information Security Framework – protect information assets from threats to confidentiality, integrity and availability Data management - control, protect, deliver and enhance the value of data and information assets Governance
  6. 6. Data Management Model Data Governance Data Management Data Architecture Business Intelligence Defined accountability framework, strategy, roles, responsibilities, policies and procedures Consistent view of data landscape: definitions, standards, principles and models Data Management Principles Information lifecycle management, Shared Data management, measuring and improving data quality, Data management problem resolution Capability to use data to inform operations and strategy and to optimise performance
  7. 7. Data Management Principles Data is a valuable shared resource • Data is a University asset, shared across University functions and organisations for multiple purposes and managed appropriately throughout its lifetime Rationale • Data is a key strategic resource supporting all of the University functions and must be managed in a fashion that creates most value for the University as a whole • Subject to legal and regulatory commitments, data is of most value when it is shared and reused. Protection of the University's data against loss, leakage and tampering is of critical importance.
  8. 8. Changes to roles and responsibilities • Information assets > data domains (plus) • Information asset owners > Data Leads (plus) • Data stewards > System Owners (Business) • Data custodians > System Owners (Technical)
  9. 9. Data & information governance goals • To define, approve and communicate data management and information security strategies, policies, standards, architecture, procedures and metrics • To manage information security risk and resolve data management issues • To understand and promote the value of data and information assets • To oversee conformance with the above and provide a mechanism to manage necessary exceptions
  10. 10. Governance bodies Data & Information Management Oversight Group Senior Information Risk Owner Senior System Owners, University Data Steward & Data Leads Head of IT Architecture Data Architecture Group IT Technical Design Authority University Data Steward Membership Categories & Entitlements Group Senior Systems Owner (Technical)
  11. 11. Management of information assets Data Domains Information systems End user devices People Responsible owners Data Leads Senior System Owners (Technical & Business) Colleges/ Schools/Depts Individual members of staff Human Resources Line managers Types of security controls applied Classification; data use principles; permitted use policy, processes and procedures Technical design and configurations; access control policy, processes and procedures Technical configurations; acceptable use policy, processes and procedures Vetting; training and awareness raising; behavioural policy, processes and procedures
  12. 12. Current state • Data & Information Management Oversight – wide scope • Getting to grips with roles and applying checks and balances – digital workplace system business owner • Developing data model and classifying data as we go
  13. 13. Questions?