Data Strategies for the Digital Age The digital age has forced many companies to alter—and sometimes completely revamp—data governance processes. Learn information management strategies that will help you deal with storage needs unique to the big data era.

Editor’s note FIVE STEPS TO As Threats Evolve, Mobile DIGITAL INFORMATION Companies Must Re- Ambiguity Raises GOVERNANCE examine Data Security Unique Governance and Compliance Challenges editor’s note New Threats, GRC Needs Upend Digital Age Data Governance

Through the course of everyday business sure their information stays secure and regu- Home activities alone, companies in the digital age latory compliant, while still taking advantage Editor’s Note generate, store and maintain a sometimes over- of the digital assets at their disposal. In this whelming amount of “big data.” The digitiza- handbook, we’ll discuss the latest strategies to The New Big Data Rules: tion trend has forced companies to alter—and help organizations adapt to the increased stor- Five Steps to sometimes completely revamp—information age needs, data-specific compliance mandates Digital governance strategies and processes to adapt. and security vulnerabilities unique to the digi- Big data governance obstacles don’t end tal age. As Threats Evolve, Companies Must there, either: A constant threat of data breaches As information increasingly becomes an Re-examine Data Security complicates security processes, while regula- organization’s biggest asset, companies must and Compliance tory compliance rules require innovative meth- continue to keep a close eye on governance Mobile Data ods to track and analyze information to keep processes to make sure they’re ready for the Security Ambiguity Raises Unique your company on the right side of the law. And, challenges presented by big data. We hope you Governance of course, the digital age provides businesses find this information useful to help your busi- Challenges with access to unprecedented amounts of user ness implement the latest data governance data, raising ethical questions for corporations strategies and thrive in the digital age. n that tap into users’ private information for monetary gain. Ben Cole All is not lost, however. With the right big Editor data governance strategy, companies can make SearchCompliance

2 Data Governance Strategies for the Digital Age Big Data Governance The New Big Data Rules: Five Steps to Digital Information Governance

As data volumes increase exponentially, governance and its objectives differently. Infor- Home the speed at which they are created is also mation governance means nothing to Editor’s Note accelerating. The amount of data in the digital corporate leadership unless it contributes to universe is astounding, with “geobytes” and creating new wealth. After all, that is why The New Big Data Rules: “brontobytes” replacing terabytes as common companies exist. To succeed, information Five Steps to data storage measurements. At the same time, governance builds and enforces rules for Digital Information Governance governments continue to develop complex data digital information in order to create wealth. management compliance rules. That new wealth is created by targeting two As Threats Evolve, Companies Must The SEC’s new Regulation SCI was more than enormous baskets of hidden expenditures: the Re-examine Data Security 700 pages. Industrial consortia also continue costs of finding data in everyday business and and Compliance to write mandatory new rules or update long- the costs of validating that data as factually Mobile Data existing ones like PCI-DSS. This combination accurate. Security Ambiguity Raises Unique of unprecedented storage needs and expanded All of the rules, whether found in official Governance compliance regulations makes it very difficult regulations, consortia rulebooks or commercial Challenges for organizations to get a handle on big data agreements, exist to achieve one objective: governance, but here are five strategies to help creating data that can be relied upon as the get you started. truth. When you connect the dots and show how information governance reduces costs, creates Set Objectives greater net revenues and achieves compliance, First, organizations must define information executive-level support is more easily achieved.

3 Data Governance Strategies for the Digital Age Big Data Governance Bake Governance in From the Start doesn’t require governance, including keystroke Second, information governance must be monitoring, voice call recordings, application included in the front end of any design pro- transactions and execution log data. But when cess within the business. Ensuring privacy we ask how that data improves corporate per- by design has become a popular best practice, formance, there can be entirely different design but that only embraces one data classification: outcomes. Home personally identifiable information. The same Editor’s Note principles should apply to all business pro- cesses, whether renovating existing governance Measure Performance The New Big Data Rules: strategies or designing something entirely new. Third, create the metrics that measure gover- Five Steps to In the 21st century, every process generates nance performance. Governance requires more Digital Information Governance new data that must be governed. Establish- than merely having policies and procedures in ing rules in the very begin- place and expecting associates and contrac- As Threats Evolve, Companies Must ning creates enormous savings in later cycles tors to do the right thing. Enforcement of the Re-examine Data Security because no one has to ask, “What do we do rules must be included. That means being able and Compliance with all of this new data?” to measure performance and quickly calculate Mobile Data Another, perhaps more meaningful, benefit when data is not conforming to the rules. Security Ambiguity Raises Unique when moving information into the front end of The metrics must focus on how both Governance design is that intense focus is given to how new machines and human assets perform, especially Challenges data will be used toward creating new wealth. because compliance risk is very likely to occur Much of the new volumes of data are gener- within the design of devices and the software ated as very granular, observational data that applications that run on them. A nonreporting

Establishing governance rules in the beginning creates enormous savings later because no one has to ask, ‘What do we do with all of this new data?’

4 Data Governance Strategies for the Digital Age Big Data Governance node on a complex system is often a first indi- not require assigning human resources to end- cator of a much larger compliance problem, but less, tedious reviews of log data. Applications if the metrics are not being measured, there is and services can analyze the related log data for little chance to intervene early and limit poten- purposes. The competi- tial adverse outcomes. tive secret is to leverage those applications and services already in place at most companies to Home serve a larger agenda that includes information Editor’s Note Enforce Your Rules governance rules. Indeed, the Venn diagram Fourth, invest in the resources that can, indeed, overlap between governance and information The New Big Data Rules: enforce your information governance rules. security is becoming more and more substan- Five Steps to In the last two years, numerous major public tial. This is because effective data security Digital Information Governance hacks and system compromises have uncovered achieves much of what information governance that prevent adverse outcomes adverse out- is required to deliver: authentic and secure As Threats Evolve, Companies Must comes. The problem was no one was assigned data that can be trusted as an accurate, factual Re-examine Data Security the responsibility to review and respond record of a company’s behavior. and Compliance quickly. Here is where connecting to the wealth Mobile Data creation objective becomes so important. Security Ambiguity Raises Unique Information security teams recognized long Know Your Customer Governance ago that the hardest part of their work is to Surprisingly, for nearly every business, the Challenges investigate and discover the root cause of an public sector is the consumer of the largest adverse event. When that effort can be avoided, volumes of its electronic data. Virtually every enormous cost savings are possible. But the aspect of any business is subject to regula- solution has to include having someone ready tions that require data in order for the rule of to review, prioritize and investigate the metrics law to be administered: employment practices, before the adverse event occurs. manufacturing practices, accounting practices, Enforcing information governance rules does fleet maintenance, inventory quality control

5 Data Governance Strategies for the Digital Age Big Data Governance and so on. But most corporate executive teams performance data that serves as evidence of don’t recognize that new public regulations compliance. To make that data reliable, agen- are intended to better assure that the corpo- cies are imposing requirements on the systems rate information systems create and preserve in which the data is maintained. Spending on factual records relevant to investigations and e-discovery and lawyers to find records is dis- enforcement. In other words, each company is appearing rapidly, replaced by front-end infor- Home required to be the custodian of the data that mation governance investments to ensure data Editor’s Note proves the integrity of its business records. meets public sector demands. And as in all other This is a fundamental shift that has impor- areas of business, the customer is always right. The New Big Data Rules: tant economic implications. Historically, agen- These five strategies are being embraced by Five Steps to cies reacted after the fact: Business records companies all over the world to secure com- Digital Information Governance were requested following adverse events that petitive advantage. They are not easy to imple- suggested noncompliance had occurred. Com- ment, but failing to do so could mean costs and As Threats Evolve, Companies Must panies are now being asked to allow public sec- expenses that ultimately reduce business value. Re-examine Data Security tor access, sometimes in real time, to ongoing —Jeffrey Ritter and Compliance

Mobile Data Security Ambiguity Raises Unique Governance Challenges

6 Data Governance Strategies for the Digital Age Information Security and Compliance As Threats Evolve, Companies Must Re-examine Data Security and Compliance

In the digital age, where cloud usage, organizations (and their information) both Home bring-your-own-device, Web-enabled appli- secure and compliant. Editor’s Note cations and big data have become the norm in corporate settings, there are numerous new The New Big Data Rules: sources of information risk. Although industry Know Your Data Assets Five Steps to continues to see threats like DDoS attacks that The first and most important step to data Digital Information Governance crash systems to make life difficult for system protection in the digital age is to know what and network administrators, the big draw for information you need to secure. This usually As Threats Evolve, Companies Must hackers continues to be data. involves three steps: identification (or inven- Re-examine Data Security This is evident by many of the largest tory), classification and tagging. and Compliance breaches in the past few years, which often Identifying data sounds easier than it is, Mobile Data involved data-rich industries such as finan- simply because many organizations opt to treat Security Ambiguity Raises Unique cial/banking, retail and healthcare. According all information equally and implement univer- Governance to Verizon’s 2015 Data Breach Investigation sal controls across the organization. The prac- Challenges Report, there were significant increases in tice requires less upfront planning by IT staff, crimeware use, point-of-sale attacks and inci- but it can also result in exaggerated security/ dents using techniques such as RAM scrap- IT budgets and overworked personnel. A more ing—all typically designed to target or steal effective practice is to work with executives data. As the threat landscape continues to and business leaders to identify products and evolve in response to big data, so have the services that are important to the organiza- strategies and technologies designed to keep tion. This helps identify sensitive data and the

7 Data Governance Strategies for the Digital Age Information Security and Compliance information that most needs protection. Your ■■ For database records, create fields that can legal team should also be consulted, because contain a value denoting the type and sensi- they know which data types may not have a tivity of the data (i.e., a “PCI” field set to “yes” direct impact on the bottom line but still must to mark credit card information). be governed properly for compliance purposes. ■■ For flat-file documents such as Word or Excel Home Numerous technologies are documents, insert a footer that identifies the Editor’s Note available to help protect and type or sensitivity of the data. The footer label could be marked “confidential—finan- The New manage data, and they’re Big Data Rules: cial,” or “restricted—intellectual property,” for Five Steps to even more effective when you example. You could also create corporate Digital Information Governance have successfully identified boilerplates or master template documents and marked the data. that contain a footer description. As Threats Evolve, Companies Must Re-examine Data Security Data classification is an extension of iden- and Compliance tifying information but goes a bit further to The Dual Benefits Mobile Data help you organize your data into groups, each of Data Protection Tech Security Ambiguity Raises Unique of which require unique controls. It also helps Numerous security technologies are available Governance establish priorities for particularly sensitive to help protect and manage data, and they are Challenges data that should be secured first. even more effective when you have successfully Tagging information or data is often the identified and marked your data. One of the most difficult of the three processes, consider- most common technologies on the market is ing that not all systems or electronic data lend data loss prevention (DLP) systems. themselves to being easily marked or labeled. In most cases, DLP products are installed Here are the more common techniques for as a perimeter or “gateway” solution near a tagging or labeling data: company’s Internet ingress/egress points.

8 Data Governance Strategies for the Digital Age Information Security and Compliance Once deployed, most DLP products use pat- ■■ Encryption or tokenization products to tern-based techniques to monitor content obfuscate the sensitive data from being seen going to or from the Internet, and they even by anyone other than an authorized user. scan network drives or file shares to identify sensitive data at rest on your network. Many ■■ Identity management and/or privileged DLP solutions include pre-defined “signatures” access management to ensure that users/ Home to help detect common forms of sensitive employees don’t have ill-gained access. Editor’s Note information such as credit card numbers, Social Security numbers or source code. ■■ Logging solutions that provide application log The New Big Data Rules: Often, DLP systems allow for custom for a deeper look at how applications Five Steps to monitoring techniques that flag data the are handling their data. Digital Information Governance company identifies as sensitive. Using the custom keyword or code inserted into corpo- Data is one of the most important assets a As Threats Evolve, Companies Must rate boilerplates or templates, you can often business has in today’s digital world. There are Re-examine Data Security create search criteria in most DLP systems thousands of security products for protect- and Compliance that will alert you when users are sending ing systems and networks, and the market for Mobile Data data to outside parties without permission. products that monitor and secure data is con- Security Ambiguity Raises Unique It’s a relatively low-tech tactic but one that stantly growing. This is largely due to regula- Governance is often very effective at preventing corporate tions and laws putting more emphasis on data Challenges documents or intellectual property from being security. The combination of knowing the type leaked. of data you need to protect, identifying where Other technology options to consider for it is and implementing specific processes to protecting your company’s data include the manage that data will help keep the organiza- following: tion both compliant and secure. —Jeff Jenkins

9 Data Governance Strategies for the Digital Age Digital Age Mobile Security Mobile Data Security Ambiguity Raises Unique Governance Challenges

Fairview Health Services has a pressing “The perfect solution would be not to be Home need to give its workers access to information mobile. But that’s not practical,” he said. Editor’s Note wherever they are: If the right data doesn’t get Security and compliance challenges are to the right person instantaneously, someone growing as more employers adopt processes The New Big Data Rules: could die, said Barry Caplin, vice president that allow mobile devices to perform work Five Steps to and chief information security official for tasks. Workers no longer use devices to just Digital Information Governance the Minneapolis-based nonprofit healthcare check email and their calendars. As devices organization. are used for increasingly complex processes, As Threats Evolve, Companies Must To ensure that instant access, Fairview has data becomes more vulnerable to loss. To Re-examine Data Security about 3,500 mobile devices deployed through keep pace, IT and security executives must and Compliance the organization, including both enterprise- develop comprehensive mobile security pos- Mobile Data issued and employee-owned devices of various tures and implement stronger technology Security Ambiguity Raises Unique brands and operating systems. The number is solutions. Governance growing, as more of its 22,000 employees go Unfortunately, that’s easier said than done. Challenges mobile. That’s because organizations must develop At the same time, Fairview must contend high-level ideas that focus on people and pro- with the significant security concerns imposed cesses first, Caplin said. not only by its own data privacy standards but “There is a lot in security that’s conceptu- by regulatory privacy requirements such as ally simple, but the operational, the boots-on- HIPAA as well. But as the organization’s CISO, the-ground stuff is very complex,” Caplin said. Caplin knows that 100% security doesn’t exist. “We can’t just slap on a solution because if it

10 Data Governance Strategies for the Digital Age Digital Age Mobile Security doesn’t mesh with how people work day to day, devices, which later gets synced, so Caplin lay- then it’s not going to work.” ered in encryption, mobile device management, mobile application management and enterprise mobility management tactics. Establish Appropriate Mobile Use Despite the trend toward ubiquitous mobil- Caplin has taken a multipronged approach to ity and the growing IT security concerns that Home mobile data protection at Fairview, where clini- come with it, organizations have been slow to Editor’s Note cians use tablets to share healthcare informa- adequately address mobile data security. There tion with patients and use mobile devices to are various reasons for the trend: Mobile tech The New Big Data Rules: input clinical data when they visit patients in advancements put pressure on organizations Five Steps to their homes. to adopt them quickly and often without a full Digital Information Governance That multipronged approach includes follow- security evaluation. Downloading mobile apps ing policies that establish appropriate mobile without IT approval is also easy and creates As Threats Evolve, Companies Must device data use. For example, employees can’t plenty of avenues for data to leak. Re-examine Data Security share patient information via text because Then there’s the fact that there has yet to be and Compliance it’s unsecured. Employees also receive regular a major headline-making data breach involving Mobile Data training on these policies. smartphones or tablets. Security Ambiguity Raises Unique Caplin uses a virtual interface that keeps “It brings the guard down on a lot of enter- Governance the data workers enter onto their computers prises,” Gartner analyst Dionisio Zumerle said. Challenges (whether a desktop or a mobile device) off the On the other hand, Zumerle said mobile actual device. That means, Caplin explained, data security products are maturing as vendors that if a device gets lost or stolen, there’s no address how to better mesh security measures data loss for the organization. with user-friendly functionality. Vendors That approach, he admitted, doesn’t work for are adding new features such as cloud access all his employees, notably the clinicians who security brokers to the market. Organizations provide in-home care. They store data on the are also using advanced IT analytics to detect

11 Data Governance Strategies for the Digital Age Digital Age Mobile Security anomalies in user behavior that could alert but IT departments can’t see or track them them to vulnerabilities. either, she said. Getting a grip on how data moves via mobile is a challenge, however, because it’s hard to New Vulnerabilities Created know how to secure data without visibility. by Modern Mobility “IT has no idea that the information is out Home There are certainly plenty of these potential there on the device,” said Chris Hazelton, Editor’s Note vulnerabilities, according to Nisha Sharma, research director for enterprise mobility at 451 managing director of mobility at Accenture Research. The New Big Data Rules: Digital. Workers could be using apps with little Leading executives are working on that, Five Steps to or no security protection, particularly if they’re though. Digital Information Governance using apps without any IT review that could Larry Biagini, CTO at GE, said about half of introduce malicious code onto their devices. the company’s 300,000 employees use mobile As Threats Evolve, Companies Must These apps could also be transmitting informa- devices. They use a combination of company- Re-examine Data Security tion on insecure networks. and employee-owned devices, including a mix and Compliance Then there’s the potential for what Sharma of tablets, smartphones and smartwatches that Mobile Data called “data leakage,” where bits of corporate run on various operating systems. Security Ambiguity Raises Unique information flow through devices without any “Not unlike everybody else, we do use a Governance corporate knowledge or oversight. These leaks mobile device management platform, but that’s Challenges are often through text, screenshots, photos and table stakes. And we don’t believe it’s the ulti- even audio recordings. Not only do those types mate solution,” he said. “We want to under- of content generally reside in unsecured areas, stand what devices people have, how they’re

Workers no longer use devices to just check email. As devices are used for increasingly complex processes, data becomes more vulnerable.

12 Data Governance Strategies for the Digital Age Digital Age Mobile Security connecting to our network, what apps they’re for all types of applications, so you’re not run- running, and we want to be able to wipe them ning apps but making requests for services. remotely.” That way, we can decide who you are, what Biagini said GE runs regular training and device you’re on and where you are in the employee education to keep workers informed world,” he added. of what they should be doing to keep data The strategy is a good balance between the Home secure. The company also uses technologies value of a mobile workforce and reducing the Editor’s Note designed to protect data without hindering security risks that stem from it, Biagini said. Is users. Biagini pointed to the fact that work- it foolproof? No, but as Biagini noted, nothing The New Big Data Rules: ers can securely access internal GE apps with is when it comes to data security. Five Steps to a simple authentication and without going “It’s where you put the risk bar, that’s what Digital Information Governance through a VPN because GE’s systems recognize we have to spend a lot of time on,” he said. the device. “And if we can get visibility [and] know what As Threats Evolve, Companies Must “We truly believe that the big piece of the we want to allow based on our risk bar, we get Re-examine Data Security solution we need to provide is an API gateway closer to that balance.” —Mary K. Pratt and Compliance

Mobile Data Security Ambiguity Raises Unique Governance Challenges

13 Data Governance Strategies for the Digital Age about the authors Jeff Jenkins is a regulatory compliance, information secu- rity and risk management expert and currently the direc- tor of cybersecurity at Travelport Ltd. Prior to his role with Travelport, Jenkins served in security executive/leadership roles for a number of private and public sector organiza- tions. He currently holds CISSP, CISA, CISM and CGEIT Data Governance Strategies for the Digital Age Home certifications. is a SearchCompliance.com e-publication. Ben Cole | Senior Site Editor Editor’s Note Mary K. Pratt is an award-winning freelance journalist Fran Sales | Associate Editor The New based in Massachusetts. Her work has appeared in numer- Big Data Rules: Jeffrey Ritter, Jeff Jenkins, Five Steps to ous publications, including newspapers, magazines and Mary K. Pratt | Contributing Writers Digital Information trade journals. She currently focuses her coverage on busi- Governance Sue Troy | Editorial Director ness management and information technology topics. Linda Koury | Director of Online Design As Threats Evolve, Companies Must Jeffrey Ritter is one of the nation’s experts in the con- Neva Maniscalco | Graphic Designer Re-examine Data Security and Compliance verging complexity of information governance, security FOR SALES INQUIRIES and the use of digital information as evidence. He advises Amalie Keerl | Director of Product Management Mobile Data [email protected] Security Ambiguity companies and governments on successful 21st-century Raises Unique strategies for managing digital information. He is cur- TechTarget Governance rently developing and teaching courses at Johns Hopkins 275 Grove Street, Newton, MA 02466 Challenges www.techtarget.com University’s Whiting School of Engineering and George- © 2015 TechTarget Inc. No part of this publication may be transmitted or re- town University Law Center. produced in any form or by any means without written permission from the publisher. TechTarget reprints are available through The YGS Group. About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and pro- cesses crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our Stay Connected! social community, you can get advice and share solutions with peers and experts.

Follow @SearchCompliance today. cover art: fotolia

14 Data Governance Strategies for the Digital Age