{"id":109806,"date":"2022-03-31T10:00:00","date_gmt":"2022-03-31T17:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=109806"},"modified":"2024-04-08T13:47:30","modified_gmt":"2024-04-08T20:47:30","slug":"3-strategies-to-launch-an-effective-data-governance-plan","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/03\/31\/3-strategies-to-launch-an-effective-data-governance-plan\/","title":{"rendered":"3 strategies to launch an effective data governance plan"},"content":{"rendered":"\n

Aware of the potential risks of sensitive data if not managed properly, you\u2019ve undertaken a data discovery process to learn where it\u2019s all stored. You\u2019ve classified this sensitive data\u2014confidential information like credit card numbers and home addresses collected from customers, prospects, partners, and employees\u2014as either non-business, public, general, confidential, or highly confidential. You\u2019ve assessed the risks to better protect it from exposure and the risk of theft or loss. Your next step is to govern your data. But what does that mean and how do you launch a data governance plan?<\/p>\n\n\n\n

Data governance is the process of managing data as a strategic asset<\/a>. This means setting controls around data, its content, structure, use, and quality. Microsoft considers data governance to be the foundational pillar of an enterprise data strategy<\/a>. All the preceding steps\u2014data discovery, data classification, and data protection\u2014are necessary to build your plan. When done right, data governance makes it easier for companies to ascertain their data is consistent, trustworthy, and properly used.<\/p>\n\n\n\n

To avoid those issues, ensure that you govern your data properly. Let\u2019s explore three steps to take when building a data governance plan.<\/p>\n\n\n\n

1. Set lifecycle controls on sensitive data<\/h2>\n\n\n\n

Numerous laws and regulations dictate how long you must retain data and in what circumstances you should delete data. Many privacy laws require that you keep personally identifiable information (PII), such as names, identification numbers, home addresses, and IP addresses, only for as long as it has met its original purpose.1<\/sup><\/p>\n\n\n\n

Under GDPR Article 5(1)(c), the data minimization principle requires entities to process only \u201cadequate, relevant and limited\u201d personal data that is \u201cnecessary.\u201d2<\/sup> GDPR also encourages you to pseudonymize and encrypt this personal information.<\/p>\n\n\n\n

Your organization\u2019s data governance plan should take these data retention requirements into account. Tracking which file is subject to a retention or deletion regulatory requirement manually would be extremely challenging if not impossible. A better approach is to implement ongoing controls to auto-expire personal data or set up automated reminders to review data periodically to assess whether it\u2019s still in use or active. Another option is to have approvals in place before deleting documents to ensure you\u2019re deleting verified personal data and not inadvertently hurting the business by deleting the wrong content.<\/p>\n\n\n\n

2. Operationalize data governance<\/h2>\n\n\n\n

After setting lifecycle controls to manage your company\u2019s sensitive data, it\u2019s time to define strategy and figure out how to operationalize the management of your data governance program. Data governance isn\u2019t a set-it-and-forget-it situation. You\u2019ll need ongoing processes to protect and govern sensitive data.<\/p>\n\n\n\n

However, a company\u2019s approach to data retention and deletion will vary based on the laws of its country and corporate policies. You need to define how often you review, delete, and archive sensitive data. Your company\u2019s Data Governance Officer or legal department can offer guidance on what\u2019s required.<\/p>\n\n\n\n

Automating these ongoing operations can ease the burden of management. One opportunity for automation is auto-labeling of secure documents at different confidentiality levels. If you don\u2019t properly label data as sensitive, you\u2019ll be unable to locate, identify, or successfully govern it. <\/p>\n\n\n\n

3. Manage role-based access<\/h2>\n\n\n\n

A major tenet of Zero Trust<\/a>, a security model that assumes breach and verifies each request, is to allow people to access only the resources that they use to complete their work. Assigning role-based access <\/a>control helps you protect resources by managing who has access to resources, what they can do with those resources, and what resources they can access.<\/p>\n\n\n\n

Develop a detailed lifecycle for access that covers employees, guests, and vendors. Don\u2019t delegate permission setting to an onboarding manager as they may over-permission or under-permission the role. Another risk with handling identity governance<\/a> only at onboarding is that this doesn\u2019t address changes in access necessary as employees change roles or leave the company.<\/p>\n\n\n\n

Instead, leaders of every part of the organization should determine in advance what access each position needs to do their jobs\u2014no more, no less. Then, your IT and security partner can create role-based access controls for each of these positions. Finally, the compliance team owns the monitoring and reporting to ensure these controls are implemented and followed.<\/p>\n\n\n\n

When deciding what data people need to access, consider both what they\u2019ll need to do with the data and what level of access they need to do their jobs. For example, a salesperson will need full access to the customer database, but may need only read access to the sales forecast, and may not need any access to the accounts payable app. It\u2019s about ensuring that people have the right access to the right information at the right time.<\/p>\n\n\n\n

Other questions to ask when building your plan include:<\/p>\n\n\n\n