What is Data Governance? How does it Impact Security?

The availability of data at every touchpoint has enabled organizations all over the world to make better decisions. However, with great power, comes great responsibility. The management and protection of data in an organization are of utmost importance in this day and age. A recent incident of data leakage reports hacking of 770 million email IDs and passwords. Incidents like these only necessitate the need for strong data governance in organizations.

What is Data Governance?

Data governance is the process of identifying the valuable data in an organization, ensuring its top quality, and adding to its value for the business. In other words, it is the holistic management of data throughout its life cycle in an organization. It is one of the top priorities of organizations because consistent and trustworthy data helps them optimize their productivity and make profitable choices. With introduction of AI to data governance to make more informed business decision There are four pillars of an efficient data governance policy:

Usability: ensuring correctness and consistency of data.

Availability: enabling availability for all business functions.

Integrity: preserving essential qualities of data.

Security: securing information and averting data leakages.

A sound data governance policy addresses all these points and prepares a plan of action accordingly. Data stewards are the ones responsible to implement the governance policy. They are subject matter experts who understand the role of data across the business functions.

Data Governance Framework

It is essential for an organization to have a framework in place, in order to assign roles and responsibilities, and thus make informed decisions on enterprise data. A data governance framework helps the organization in achieving the same. Frameworks can be broadly classified into three categories:

Command and Control: this framework requires few employees to assume the role of data stewards and take complete ownership of data governance.

Conventional: this framework encourages a large number of employees to voluntarily act as data stewards, whereas a selected few employees to serve as critical data stewards with added responsibilities.

Non-invasive: in this framework, everyone dealing with data is a data steward. So, anyone creating or modifying data by any means automatically becomes a data steward.

Essential Elements for Data Governance

An organization can choose to adopt any of these frameworks, however, there are some essential components of data governance frameworks.

Management Support: management must back the data governance framework as an official policy.

User Engagement: every user interacting with data should be familiar with the data governance policy and should be willing to contribute to it.

Data Governance Council: a formal body to enact and regulate the data governance policy must be present in the organization.

A lot of organizations prefer formulating and practicing their own data governance frameworks. However, there are certain standards like COBIT, ISO/IEC 38500 and ISO/TC 215 that can help in creating a framework.

Asset Information and Classification

There are certain data assets that the company would want to keep confidential under any circumstances, while the disclosure of some information may not harm the organization as much. The latter is the kind of data that is generally classified as ‘public’ by organizations. It is extremely important to be informed about, and understand, the data assets possessed by the company and classify them on the basis of sensitivity and other parameters depending on the business.

Classification of data is the first step to mitigate risk, should a breach occur. Think of this as disaster management in the event of a natural catastrophe. One knows that their life is the most valuable in such an event, and prioritize that over everything else at that moment. Similarly, if a data asset is compromised, the quick identification of information associated with an asset enables an organization to make informed decisions. An exercise like business impact analysis helps organizations rank their assets based on sensitivity.

Data Ownership and Privacy

Data ownership is a key component of a sound governance plan. Depending upon the data governance framework adopted by the organization, the key data sources are allotted to owners, who in turn are responsible for comprehending the data flow and understanding wherever sensitive information exists. The next step, after data ownership, is the implementation of data governance structures like encryption and key management solutions.

The structure implemented by the data owner depends on their ability to analyze the sensitivity of data that lies within their area and come up with the best solution to the problem. This makes it essential for them to understand the data flow and chart out a technical plan of action to mitigate any risk of data losses. Thorough knowledge of the location of sensitive data, helps the organization come up with an administrative list of controls that are documented in a formal policy.

Data Security Controls

As important it is to get a comprehensive understanding of where sensitive data resides in the organization, it is also imperative to ensure that all the technical controls are enacted, monitored and regulated timely. In order to choose the best control in any given situation, it is very important to know the data states viz. at-rest, in-motion and in-use. The absence of this knowledge makes organizations go for a one-size-fits-all approach, which results in inefficient data governance.

Another important point the technical policies need to be cognizant of is making sure only the authorized personnel is allowed to decrypt data. There are many vendors that help a company with demarcating duties and allowing data governance access to its users. Technology alone may not be potent enough to combat a data breach, so technical controls need to be aligned with the addresses of sensitive data and the threats associated with them, in order to achieve data security.

Best Practices of Data Governance

The best examples of data governance are set by the organizations who actually care about it. According to EY Global Information Security Survey 2018-19, 87% of organizations have an insufficient cybersecurity budget. Despite the budget constraints, 77% of organizations are striving to advance their data governance by fine-tuning their capabilities. Therefore, genuine interest and support from management is a fundamental prerequisite in setting up an efficient data governance policy.

Data governance at a large scale may often become an issue, therefore it is advisable to start small with a pilot project on a set of data that needs to be streamlined from a governance point of view. Once the management is convinced with the data governance activity and becomes heedful of its ROI, a robust governance policy can be proposed to scale up.

It is also necessary to be aware of the multiple tools available in the market to facilitate data governance. For example, an area of data management closely associated with data governance is master data management or MDM, and MDM tools go a long way in defining data types and categories. The usage of such tools is crucial in standardizing and automating the process when undertaking data governance in an organization.

Lastly, everything boils down to the willingness at an individual level. The community of data stewards in an organization should understand the value of data governance and must be committed to improving the quality of data in the organization.


Evan Morris
Evan Morris
Known for his boundless energy and enthusiasm. Evan works as a Freelance Networking Analyst, an avid blog writer, particularly around technology, cybersecurity and forthcoming threats which can compromise sensitive data. With a vast experience of ethical hacking, Evan’s been able to express his views articulately.

SOLD OUT! JOIN OUR WAITING LIST! It's not a virtual event. It's not a conference. It's not a seminar, a meeting, or a symposium. It's not about attracting a big crowd. It's not about making a profit, but rather about making a real difference. LEARN MORE HERE