<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=162429800880729&amp;ev=PageView&amp;noscript=1">

The Tech Break

9 Data Governance Policies Every Business Needs

Jan 05, 2021 / by Jeremy Rouse

Reviewing Data Governance Policies

The modern age thrives on data, but not every organization is currently equipped to effectively manage and safeguard this critical digital asset. To ensure your privacy and compliance obligations are met without preventing or inhibiting authorized user access, your organization needs a governance framework built on the essential policies discussed in this article 

Why is Data Governance Important? 

Data governance is about more than staying organized. Good data governance policies ensure that your organization’s information assets are formally, properly, effectively, and proactively managed throughout your organization. 

Data governance policies govern all aspects of the data lifecycle: from gathering data to revising and standardizing the information you have collected and organizing that information so that you can use it to gain useful insights into your business and your customers. Good data governance policies ensure that the right person can access the right data at the right time, and effectively balances that access against security, compliance, and privacy concerns. 

The Benefits of Good Data Governance 

By investing time and energy into crafting robust data governance policies to suit your organization’s needs, you can improve your organization’s productivity and efficiency while ensuring compliance and safeguarding sensitive information. 

Data Governance Policies Your Organization Should Have in Place 

An Overarching Structure Policy 

Before you can begin drafting the rest of your data governance policies, you should define your data governance strategy's overarching structure. This blueprint should lay out who your key stakeholders are and make sure they are all actively involved in crafting your new policies. Once you have fine-tuned your policies, you should also ensure everyone knows who is responsible for implementing each policy, how they will go about doing so, and any deadlines or timelines that need to be taken into account. 

By codifying who is responsible for each task, you can help ensure that nothing slips through the cracks and that all necessary steps are taken to ensure your new policies are effectively implemented and followed. 

You should also determine how you are going to communicate your new policies to the rest of your organization, how this information will be distributed, and who will be responsible for educating workers and answering their questions. 

An Access Policy 

Not all employees need access to everything to do their jobs, and overly permissible access poses a security risk. Make sure you have clear guidelines in place for how access is granted, particularity to sensitive data such as financial records or employee files. If an employee requires access to sensitive data as part of their job, you should ensure you have mechanisms in place that track who accessed what and when. 

Occasionally, employees who are not usually granted access to sensitive data may require access (such as an administrative assistant updating employee emergency contact data). In those cases, make sure you have a policy clearly outlining the circumstances under which an employee will be granted temporary access and how you ensure that access is revoked once it is no longer needed. 

One final pillar to consider is your offboarding process. Make sure that you have a formalized and codified process for revoking the credentials of former employees. Even if a former employee is unlikely to act maliciously, those unattended credentials could be used by hackers or other malicious actors to gain access to your system and your data. Since those credentials are not actively being used, you may not realize they have been compromised until extensive damage has already been done.  

Usage Policy 

Your data usage policy is primarily concerned with privacy and compliance and exists to ensure that the data you collect, use, and store is not abused. Legislation such as GDPR and HIPAA have very strict guidelines on how customer data can be used, and non-compliance can have serious consequences. 

This ties into the access policy, since employees, contractors, and other workers should only be able to access data they require to do their jobs. You should also have strict guidelines in place regarding who is able to update data and under what circumstances they are allowed to do so. 

An Integrity & Integration Policy 

Data is only useful if it is accurate and up to date and can be accessed quickly and easily by the relevant employees, contractors, and management personnel across various electronic systems and functional units. 

Data integrity refers to the data's quality, including how valid, accurate, and reliable it is. As the old programmer saying goes: "Garbage in, garbage out." Without accurate, high-quality data, your team doesn't have all the information they need to make key decisions.  

Data integration(the ability for data to be assimilated across information systems) relies on high-quality data and the development of good data models and the corresponding data structures. Making sure authorized users can easily access the data they need, and that the data models and structures they rely on can as well, improves worker efficiency and increases productivity. 

An Architecture Management Policy 

Having a good architecture management policy in place is vital for keeping your team organized. This policy should be used to guide: 

  • The structural specifications of data models 
  • Your methods used for devising those data models 
  • Your standards for selecting and implementing database technologies 
  • Your standards for alternative storage frameworks (such as object representations like XML or JSON) 
  • Your data storage methods and the platforms used for storage 
  • How data is transmitted or shared between authorized users 

Policies Governing Protection, Handling, & Security 

These policies are designed to classify sensitive data and dictate how it is handled. Data should be classified by the level of sensitivity. The more sensitive a piece of data is the more restrictive its access should be, and the more robust its safeguards. You should also determine what those safeguards are and how they will be implemented, as well as how sensitivity is quantified. 

You should also have policies in place laying out how data is to be stored (such as electronic storage vs. paper storage) and protected (such as encrypting sensitive data). Legislation such as GDPR is also very strict regarding what data can be collected, so you should be mindful of any data collection restrictions you need to abide by. 

These policies should also specify a standard of language for both disclosure and data use agreements. 

Entity Management Policies 

These policies are designed to govern entities critical to your business' operations and management, including locations, products, customers, employees, and vendors and may include inventory lists, employee lists, and vendor lists. These policies govern how this information is stored and shared, who can access it, and how different unique entities can be identified (such as using SKU codes or barcodes on products or employee numbers). These policies should be designed to facilitate cross-application cohesion and synchronization so that all relevant users are working from the same set of updated data at all times. 

Provenance Policies 

Data provenance policies are designed to ensure that the source of critical data for compliance purposes (such as clinical trials) can be traced back to the appropriate authoritative sources. The purpose of these policies is to help users reuse data while also ensuring that data is safeguarded from improper use, misinterpretation, or non-compliance with data use agreements. By documenting how data flows through your organization, you can trace information back to its source and see who accessed or altered data between the time it was collected and now. 

Storage & Retention Policy 

Sensitive data needs to be stored correctly and may need to be discarded after a set amount of time as per privacy or compliance regulations. These policies should also specify what technologies are used to store data, and covers which storage formats are appropriate for which types of data (for example, credit card numbers must be encrypted). You should also have policies that dictate how data is deleted and prevent the unauthorized recovery of deleted data. 

Crafting data governance policies can be a large, labor-intensive task, and with so many factors to consider, many organizations find the prospect daunting. That’s why Bird Rock Systemsalong with our trusted partner Galvanize, is here to help. Our experienced teams can help you determine what policies you need and create robust policies and procedures tailored to your unique security, compliance, and privacy concerns. 

Galvanize specializes in policy management, and can help ensure your organization is prepared to handle shifting business priorities while remaining compliant at all times. Their workflow-based enterprise policy management and policy attestation software PolicyBond is designed to author, track, and centrally manage your compliance policies. It also maps regulatory standards, risk frameworks, and business objectives so you can easily access all the information you need to make informed decisions and ensure your team is complying to all data governance policies and works seamlessly with the other products in their HighBond platform. 

Topics: Business, Compliance

Jeremy Rouse

Written by Jeremy Rouse

In 2012, Jeremy Rouse joined Bird Rock Systems as an Security Architect and Virtual CISO. Jeremy has 20+ years working in IT and Security with Blue Chip and DOD industries. Jeremy has a passion for technology, innovation and helping customers develop and mature their cyber security programs. Jeremy is actively engaged in speaking engagements and security events. He is a member of multiple security organizations and holds the following certifications: CISM, CISSP, AWS CSA, MCSE, CCNA, ACE, VCP, ACMP

Lists by Topic

see all

Posts by Topic

see all

Recent Posts