Demystifying Data: Understanding Data to Minimise Risk and Reduce Costs
Organisations across the world are rapidly increasing the amount of data that they collect and hold. By 2025, the total amount of data “created, captured, copied and consumed globally” is estimated to increase by 180 per cent over 2020 figures.1https://www.statista.com/statistics/871513/worldwide-data-created/#:~:text=The%20total%20amount%20of%20data,replicated%20reached%20a%20new%20high.
While these rapidly growing data assets can be valuable, not all data is valuable. Rather, as global privacy and data handling laws evolve in complexity, over-retention of data is an increasingly serious compliance risk. Beyond this, over-retention can, over time and at scale, impede business operations and unnecessarily increase an organisation’s costs. That’s why establishing a clear view of the data an organisation holds, and what it needs, is essential to adopting an effective information governance and security posture.
This article explores ways in which data can create risk and how to effectively address that risk.
What is Information Governance and Why is It Important
Information governance (IG) is a discipline of applying and enforcing policies and procedures surrounding the creation, valuation, use, sharing, storage, archiving, and deletion of information. In other words, IG helps establish the authorities, support, processes, capabilities, structures, and infrastructure to enable information to be a useful asset and to reduce liability to an organisation, based on that organisation’s specific business requirements, objectives, and risk tolerance.
The components of an IG framework will be unique to each organisation. Generally, it should include:
- Roles and Responsibilities: Details of the roles required and the point of contact for each role, e.g., Information and Records Manager, Senior Information Risk Owner (SIRO), Data Protection Officer (DPO), and Information Asset Owners/Champions. Data informs and supports the entire business; the responsibility for managing it should be allocated accordingly.
- Policies and Procedures: policy objectives across the data lifecycle must be defined, from collection/creation, through to destruction and supported by clear standards and guidance.
- Controls: policy frameworks will be wholly ineffective unless they are implemented. Where data risks have been identified, controls must be put in place to address those risks. Key control areas include:
- Data classification: data can be classified based on sensitivity level. This can assist in applying standard security controls, retention periods, and support automated solutions such as “Data Loss Prevention” technologies.
- Access controls: the implementation of access controls to limit access and delivery of information to only where required.
- End of life: to minimise the amount of data held, there must be a clear plan for how to identify data that is no longer required and how to dispose of it. This may include guidance and authority required for retention, archiving, and disposal of information. This should be based on legislative and business requirements.
- Disaster recovery and contingency plan: in an environment with increasing risks, proactive planning on how to “fail well” is critical. Define the process of managing data loss, security breaches, incident management, backup and disaster recovery, and business continuity plans.
- Training: a key element of good IG practice is to ensure that the employees receive sufficient training on the company’s IG framework. Not everyone needs to know everything, so arrange training by varying levels of access and responsibility. For example, basic training can be given to all staff, while key teams or people with a high level of access to sensitive information will receive more intensive education.
- Audit and review: once a framework is established and implemented, ongoing audit and monitoring will assist in ensuring controls remain effective and provide a trigger to update or evolve the framework where required.
The steps above support a holistic, risk-based approach to an IG framework, but are by no means all-inclusive. There’s no “one size fits all” approach. Each organisation needs to consider its own context — its own data, its own network and its own users — and perform a thorough review to establish an IG framework suitable for its specific needs.
Furthermore, a holistic IG approach also encompasses key information security considerations. Data management will fall short if data assets are not properly secured. In parallel, effective IG can enhance security outcomes. Appropriate mapping and classification of data will enable security professionals to focus on key assets and apply appropriate information controls according to each data category’s risk level, rather than applying broad information controls for undefined information. Similarly, effective minimisation will reduce the risk surface and help avoid spending resources on protecting data the organisation doesn’t need.
Driven by the promise of better outcomes at lower cost, organisations across the globe are moving from on-premise data hosting to cloud-based service offerings, where data is hosted by a third-party supplier. For example, in April 2022, Microsoft announced that revenue from Azure, its cloud service offering, and other cloud services had grown by 46 per cent in the past quarter. This is on the heels of more than 50 per cent growth between 2020 and 2021.2https://msdynamicsworld.com/story/microsoft-2022-q3-results-cloud-growth-steady-commercial-bookings-strengthen#:~:text=Microsoft%20reported%202022%20Q3%20earnings,services%20revenue%20growth%20at%2046%25.
Migrating to a cloud environment can be onerous. One way in which a sound IG framework can help is by ensuring that only necessary data is migrated. By minimising the data, organisations can also minimise the effort required for migration, including cloud hosting and the risk of fallout in the event of a breach. Organisations considering a shift to cloud should consider the move a prime opportunity to conduct an IG assessment and remediation exercise. This will help identify information that can be securely disposed of prior to the migration and ensure that the migrated data is cleaner, more structured, and properly classified. This initial investment will pay dividends for years to come.
When Moving to Cloud, Don’t Forget the Ground
In addition to ensuring compliance in the cloud, it’s also important to ensure compliance in decommissioning of legacy equipment.
“Decommissioning” is not a defined process and can mean anything from following a structured and documented process of secure disposal, to merely unplugging a server and leaving it in a storage unit, where it may be left forgotten for years. However, copies of data that is no longer of use may still be subject to compliance requirements. In many jurisdictions, there are comprehensive privacy laws that require personal information (PI) to be de-identified or destroyed if it is no longer required.
As such, an effective IG framework will need to cover both legacy data and cloud data, including end of life processes for data and data storage equipment. This awareness is achieved through regular audits and reviews as outlined in an IG framework. These audits also need to include reporting requirements, so the results of the audits are actioned and issues are remediated.
Back Up the Data
“Everyday” data assets should not be the only concern. A key tenet of information security is to have backups of key data and systems, so that essential systems can be easily restored in the event of a security incident. It is not enough to simply have backups; for backups to be effective, they must be up-to-date, complete, and able to support restoration quickly enough to limit the downtime and minimise impact to the business. Comprehensive backup strategies are therefore essential to mitigating data risk.
However, data regulations such as privacy laws will also apply to backups, even if they are offline or stored on legacy media like magnetic tape. As such, backups need to be considered from an IG perspective. What assets should be backed up? How? When? And how long should they be retained? These questions will depend on the local laws. For example, Singapore’s Personal Data Protection Act (PDPA) states that data should only be retained if the purpose for which the PI was collected is still being served, and/or the retention is necessary for legal or business purposes.3https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/the-retention-limitation-obligation—ch-18-(270717).pdf The PDPA itself does not specify a fixed retention period for personal data, as organisations may need to comply with different legal and business requirements. Further, the backup strategy needs to integrate with the archiving strategy and data disposal processes. After all, there’s no point backing up data that isn’t needed and there’s no point retaining backups of data that aren’t required.
There has been a surge of automation developments among backup tools, which enable information technology teams to backup data with minimal involvement. This has enabled data owners to take direct control of backup requirements rather than rely on the IT team. Nevertheless, it is important that the approval mechanism of data backup and data disposal goes through necessary staff to ensure privacy and security compliance. Data custodians might not be aware of the privacy requirements applicable when managing backup settings through the IT ticketing system.
All the steps required to achieve IG benchmarks should be outlined in comprehensive policies with clear objectives, backed by user-friendly standards, processes, and guidelines. This will enable employees to be compliant and helps an organisation demonstrate defensible compliance throughout the business. As part of following best practices, an organisation should also perform regular, proactive assessments to identify risk and inform mitigation steps needed across IG and security procedures. Furthermore, the utilisation of modern tooling is recommended to achieve better results and prevent new build-up of redundant, obsolete, and trivial data. The automation is not only limited to backups but also for automated data classification, data lineage, archiving, and data disposal.
The wave of data migrations from on-premise server systems to on-cloud storage providers has introduced an array of IG challenges. Ensuring that appropriate data classification has been performed prior to the migration will drastically minimise risk. Organisations can build a business case for these projects by adding the costs associated with implementing and updating the IG framework to the overall cloud migration budget. Managing a large cloud infrastructure and securely decommissioning legacy server infrastructure will require time and costs that need to be addressed in a business plan. Note that the costs of implementing an IG framework can relate to both Security and Governance functions and therefore should be supported by stakeholders (and budgets) in both groups.