Data Governance: A management solution to privacy issues
Two particularly noteworthy events happened this week around the issue of protecting personal information.
First, Microsoft released the latest Security Intelligence Report, which provides a detailed analysis of current threats to your computer and the personal information contained therein. The full text of this report and more can be found here.
Second, I gave a presentation at the TechEd Europe conference in Barcelona, Spain titled, "Data Governance: A management solution to Privacy issues."
Data Governance is an important concept to consider with regard to privacy. Personal information shared over the Internet fuels so many of today's vital business and public-sector activities. Every day, millions of people use their credit cards to buy products and services online. However, as organizations collect larger volumes of personal information and use it in more diverse ways, they also face greater risks that this data could be leaked, stolen and ultimately misused.
Consider this: At least 162 million records containing personal data were lost, leaked or stolen worldwide in 2007 - a dramatic three-fold increase over the year before. Each new report of a data breach at a company or government agency makes consumers even more worried about identity theft and the privacy of their personal information. This is eroding people's trust in the Internet, and threatening to dampen the growth of online services and commerce. As a result, organizations are under more pressure than ever to protect sensitive data.
Data governance is a strategy for enabling organizations to more effectively manage, protect and use the growing volume of personal information that is entrusted to them. There are two key steps involved: examining the life cycle of personal information within an organization; and choosing a well-designed technology framework to help protect, manage and derive maximum value from that information.
The Information Life Cycle
In order to decide where you need data governance processes and technologies for protecting personal information, it helps to look at how this information flows throughout your organization and is used by various applications and people. Each stage of this information life cycle has particular issues to consider.
The cycle begins with how organizations manage the personal information they collect. To begin with, organizations should only collect the personal information required to provide goods and services to customers. It is important that organizations set clear-cut data privacy policies, make their customers aware of them, and back them with software tools and controls that ensure compliance, both internally and by partners. These policies also should address consumers' desire for more choice and control in how their personal information is collected and used.
As information is stored in different systems and exchanged in various forms, protecting it from a data breach requires another layer of strong controls. Organizations need to consider how they will safeguard the accuracy of data when it is updated, and make sure only authorized people can access sensitive personal information as it gets processed and used throughout the business.
When sensitive information has outlived its usefulness, technology tools that automatically enforce the organization's policies for deleting the data, or securely archiving it after a set time limit, can help further reduce the risk of a data breach.
It's important to note that a whole new life cycle begins each time an organization transfers information from one location to another. This includes actions such as importing data into a spreadsheet from a database for offline analysis, or to a business partner for invoicing or other processing. Organizations need to remain diligent about guarding the privacy and integrity of transferred data. Spelling out the organization's data handling practices in its service-level agreements with third parties is an important step.
Data Governance Technology Framework
With these principles to guide them, organizations can start to build a technology framework for managing and protecting information. To assist in these efforts, Microsoft provides data governance technology and supporting guidance in four key areas:
- Secure infrastructure;
- Identity and access control;
- Information protection; and
- Auditing and reporting
Organizations that handle personal information need a technology infrastructure that protects against malicious software attacks and hacker intrusions from the outside, as well as misuse of data from the inside. Microsoft's Security Development Lifecycle enforces secure design and development practices for all Microsoft products that handle sensitive information and that regularly communicate with the Web. This helps remove vulnerabilities and keep out threats.
At the same time, organizations need to ensure that legitimate users can access information for valid business purposes. Microsoft offers identity authentication tools that control who can connect to an organization's systems, and access control tools that govern what types of information a user can obtain.
Protecting information, wherever it lives or travels, is also vital. Data encryption technologies in Microsoft's enterprise software help keep information safe not only when it's in a database at headquarters, but also on mobile devices, desktop computers and laptops. We also provide rights management tools that control how data is accessed and used at every stage in the information life cycle.
Another crucial requirement for safeguarding information is compliance with internal policies and a growing array of government regulations. Microsoft supports organizations in this important effort with auditing and reporting tools that help automate compliance controls and monitoring to ensure the system keeps working smoothly.
Beyond protecting the security, privacy and integrity of personal information, a well-conceived data governance framework can help boost efficiency and free up resources to fulfill other important organizational goals.
The keys are to understand how information moves through various processes in the organization, and set up appropriate technology controls to protect it at each stage of this life cycle.
Microsoft can help organizations implement data governance policies, processes and supporting technology to maximize the value of personal information while also keeping it private and secure.
When it's approached in this way, data governance becomes more than just a necessity. Organizations can use data governance principles, processes and supporting technology to create greater value-not only in their own operations but also for the people they serve.
--John Howie