information security for the data management professional micheline casey chief data officer federal...
Post on 22-Dec-2015
214 Views
Preview:
TRANSCRIPT
Information Security for the Data Management
ProfessionalMicheline Casey
Chief Data OfficerFederal Reserve Board
Agenda
• Governance, Privacy, and Data Security
• Balance of Power: Enabling while Protecting
• Data Security Management
• Data and Security Organizational Alignment
• New Areas of Focus in Data Security
Why Should You Care? Explosion of data and analytical possibilities
Really, really smart bad guys
Increasing pressures to share data across ecosystem
Regulatory compliance
- Confusion over what is allowable
- Conflicting laws and rules
Requirement to minimize business risk
Increasing privacy and ethics requirements (esp. around big data uses)
Complexity in technology environment - cloud, BYOD, big data
The data security governance rules are business rules that security and technology professionals help us implement!
Can We Predict if We Don’t Have all the Information?
Governance, Privacy, and Data Security
Governance is the exercise of authority, control and shared planning over the management of data assets.
- Decision making rights, responsibilities, accountabilities, stewardship
Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others.
- Many laws that govern and protect
- Use-control oriented
Data security management is the planning, development, and execution of security policies and procedures to provide proper authentication, authorization, access, and auditing of data and information assets.
- Business rules drive the planning and development of policies and procedures
- Technology controls execute those policies and procedures
Balance of Power: Enabling While Protecting
As data management professionals and business leaders, you still need to support organizational mission:
- Programmatic and business unit goals
- Policy and decisioning goals
- Risk management and compliance goals
Ensure the authorized act appropriately - privacy*
Keep the unauthorized out - security*
*Decentralized Information Group - DIG is part of the Computer Science & Artificial Intelligence Lab at the Massachusetts Institute of Technology.
Data Security Management
TextText
Source: Data Management Association International, DM-BOK 2009
Inputs: Understanding Your Environment
What are the business goals?
What are the business requirements?
What are the business rules?
What is the regulatory environment? - binds what you can and can’t do with data
Understanding the organizational risk landscape
- All risks are not created equal; can be costly to assume so
- Internal, across business partners, at rest, in movement
Finally: Ethics is important as well - just because you can doesn’t mean you should!
Data Management Lifecycle - Supports Usage
Systems Development Lifecycle Control Points - Supports Design
Inventory of PII
Outputs and Deliverables: Enabling and Protecting Your Environment
Data and Security Touchpoints: Organizational Alignment
• Business and data governance council coordinate policy and process
• CPOs and Legal provide insight and oversight on data privacy legal and regulatory requirements
• CIOs and CISOs implement technology control points
IT
Legal
Business
Body of Policies and Processes
New Areas of Focus in Data Security
Policy and Process
- Support common data management and data governance frameworks to improve data quality, data integration, information sharing
- Big need in alignment and coordination of federal and state laws and policies
- Organizations need consistency in data sharing agreements
Technology Research
- Data element level work necessary
- Meta level tagging will be increasingly important
- Real-time consent will be increasingly important and can leverage ICAM and mobile technologies
- How can technology support the governance and policy aspects?
Information Accountability
“When information has been used, it should to possible to determine
what happened, and to pinpoint use that is
inappropriate.”
“Information Accountability,”Weitzner, D. J., Abelson, H., Berners-Lee, T., et al.Communications of the ACM (Jun. 2008), 82-87.
Thank You!
Micheline Casey@michelinecasey
top related