Data governance refers to the set of policies, processes, and technologies that ensure the availability, usability, integrity, security, and compliance of an organization’s data. It’s essentially the overarching framework that helps manage data from the time it’s created all the way to the time it’s destroyed. 

Forms/Types of Data Governance

There’s no single “universal” approach to data governance, and it can take many different forms, including: 

• Enterprise-wide data governance: This form of data governance applies across the entire organization, addressing all data assets and departments. This is best for centralized control and consistent data practices.
• Domain-specific data governance: Domain-specific governance focuses on a specific area, like customer data, financial data, or healthcare data. This allows for tailored policies and processes for each domain’s unique needs.
• Top-down data governance: This occurs when data governance is driven by senior management, establishing policies, and enforcing compliance.
• Bottom-up data governance: Bottom-up data governance empowers data stewards and users to participate in policy creation and implementation. This encourages ownership and promotes data usage.
• Hybrid data governance: Hybrid data governance combines elements of top-down and bottom-up approaches, balancing central control with user involvement.
• Risk-based data governance: Governance can also vary based on different methodologies, including risk-based data governance, which focuses on identifying and mitigating data-related risks and prioritizing efforts based on potential impact. This ensures resources are directed towards the most critical areas.
• Policy-based data governance: Policy-based data governance emphasizes establishing and enforcing detailed policies covering all aspects of data management. This provides clear guidelines for everyone.
• Process-based data governance: Process-based data governance defines standard processes for data handling, from collection to disposal. This ensures consistency and efficiency.

There are also industry-specific forms of data governance, including: 

• Financial services data governance, which addresses specific regulations and compliance requirements like KYC and AML. 
• Healthcare data governance ensures compliance with HIPAA and other regulations regarding patient privacy and data security. 
• Retail data governance manages customer data responsibly and complies with privacy regulations like GDPR and CCPA.

We can compare data governance to site management in the construction industry. Data is the building materials you’ll use, but data governance/site management controls it. 

Planning and blueprints set clear policies defining how data is collected, used, and stored (like architectural plans). The project manager is in charge of resource allocation, ensuring that the right data gets to the right people at the right time (like materials delivered where needed). There is also a quality controller on the building site to make sure that everything is functioning as it should, as well as safety protocols like security measures to protect data from breaches and unauthorized access.

Why Should Businesses Care About Data Governance?

While data governance isn’t directly part of cybersecurity, it plays a crucial and intertwined role. Here’s why you should care about data governance: 

Reason #1: Poor Data Governance Can Lead to Data Breaches

Poor data governance can lead to breaches, exposing sensitive information like customer data and financial records. This can result in fines, regulatory penalties, and compensation costs for affected individuals, not to mention downtime and lost productivity.

Reason #2: Poor Data Governance Means Lost Opportunities

Inefficient data management often results in the duplication of data, difficulties in accessing information when you need it, and general poor data quality that can hinder productivity and get in the way of serving your customers. On the other hand, unlocking data’s true potential through effective governance can drive innovation, improve decision-making, and generate new revenue streams.

Reason #3: Your Customers Demand It 

Customers increasingly value data privacy and security. Breaches or mishandling of data can severely damage your reputation and brand image. No one wants to do business with a company that doesn’t protect their data responsibly.

Reason #4: It’s the Law 

Laws and regulations set certain requirements for how organizations must handle data, particularly regarding specific types of data like personal information, healthcare data, or financial data. Failure to comply with data privacy regulations by practicing responsible data governance (like GDPR and CCPA) can lead to hefty fines and legal consequences.

Data Governance and Your Broader Cybersecurity Program

The topic of data governance often appears within cybersecurity frameworks, including: 

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

The NIST-CSF framework functions ID.BE, ID.RM, and ID.RA all make mention of data governance, including encouraging the implementation of data classification, labeling, and security controls based on data sensitivity, emphasizing the need to incorporate data security risks into enterprise-wide risk management practices, and promoting data protection through access controls, encryption, and data loss prevention controls.

MITRE ATT&CK Framework

MITRE mentions several tactics that involve exploiting poor data governance practices, like credential stuffing and spear phishing attacks targeting specific roles with access to sensitive data.

Center for Internet Security (CIS) Controls

Control 5 – Secure Configuration Management – addresses data classification and categorization for prioritizing security configurations. Control 7 enforces strong password policies and access controls aligned with data governance principles, while Control 14 recommends encryption, data loss prevention, and activity monitoring, which are crucial for data governance goals.

Control Objectives for Information and Related Technology (COBIT)

COBIT’s goal to align IT with business emphasizes aligning data governance with organizational objectives and risk management plans. Domain Deliver, Service & Support (DSS) promotes data security and privacy as key service delivery goals, reflecting data governance principles. COBIT’s Process APO11, which deals with the management of data assets, specifically addresses data classification, access controls, and data quality as part of data governance practices.

International Organization for Standardization (ISO) 27001

Clause 7.3 requires identifying and protecting information assets, which aligns with data governance principles, while Clause 9.1 emphasizes monitoring data access and usage, supporting data governance goals. Clause 10 also highlights the importance of data breach response plans, which benefit from effective data governance foundations.

Related Systems or Technologies

Data governance is complex, and there are many systems and technologies that deal with or relate to data governance, including: 

• Identity and Access Management (IAM): IAM defines roles, permissions, and authentication methods for accessing data systems and resources. It’s like the gatekeeper of your data, ensuring only authorized individuals can access specific information based on their roles and responsibilities. 

• Access Controls: Access controls implement rules and limitations on who can access specific data elements based on their role and authorization level. For example, an employee might have access to their own sales data but not to the company’s financial records.

• Data Encryption: Data encryption protects sensitive data at rest and in transit using cryptographic techniques. It’s like scrambling a message with a secret code, making it unreadable to anyone without the decryption key. This ensures that even if hackers intercept the data, they can’t understand its meaning.

• Data Loss Prevention (DLP): Data loss prevention (DLP) monitors and prevents unauthorized data transfers or exfiltration attempts. It keeps an eye on data movement and prevents sensitive information from being leaked or stolen. DLP systems can monitor email, file transfers, and other channels to detect suspicious activity.

• Security Information and Event Management (SIEM): Security information and event management (SIEM) collects and analyzes security logs to detect suspicious activity related to data access attempts. SIEM systems can collect data from various sources, such as firewalls, intrusion detection systems, and user activity logs, to provide a holistic overview of security events.

• Metadata Management: Metadata management stores and manages information about data itself, such as its meaning, lineage, and journey. Metadata management helps organizations track the origin and movement of data, ensure its accuracy and consistency, and comply with data regulations.

Related Regulations or Compliance Goals

There are numerous regulations that require or dictate specific standards of data governance: 

General Data Protection Regulation (GDPR)

GDPR requires transparency, control, and security for the personal data of EU citizens. Data governance helps implement data classification, access controls, and breach response plans. Data governance helps businesses identify and label personal data to understand its sensitivity and apply appropriate controls. It also provides guidance on policies that restrict access to personal data based on roles and authorization levels, and define procedures for detecting, notifying, and remediating data breaches.

California Consumer Privacy Act (CCPA)

CCPA grants California residents rights regarding their personal data, requiring data governance for transparency, access, and deletion. Data governance helps enable transparency and provide clear information about data collection, use, and sharing practices. It also helps companies implement procedures for data subject access requests and deletion at their request.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA protects the privacy and security of healthcare data in the US. Data governance establishes procedures for data access, storage, and usage consistent with HIPAA. Data governance policies determine who can access healthcare data and for what purposes, create guidelines to protect data at rest and in transit, and define policies for permissible use and disclosure of data.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS enforces security standards for organizations handling cardholder data. Data governance helps implement access controls, encryption, and intrusion detection systems aligned with PCI DSS.

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF)

NIST CSF provides recommendations for managing cybersecurity risks. Data governance aligns with CSF’s focus on asset management, data protection, and incident response by providing insight into what data you have and where it is stored, implementing security measures based on data sensitivity and risk, and requiring your company to have a plan for identifying, containing, and recovering from data breaches.