Last Updated on August 20, 2021
Is information governance just a subset of information security? Maybe information governance subsumes security? Or is it a parallel discipline that impacts and interrelates with both security and privacy?
More importantly, how does getting a grip on information governance bolster your cybersecurity and privacy programs, while safeguarding your brand reputation? Conversely, how does inadequate information governance expose brands to significant risk?
To serve up everything you need to might not have known you wanted to know about information governance, we connected with David Gould, Chief Customer Officer at EncompaaS, on a recent episode of The Virtual CISO Podcast. Hosting the show as usual is Pivot Point Security CISO and Managing Partner, John Verry.
Information governance is about what you do with data
“Over the last 24 months, when you go into an organization that needs to begin addressing privacy regulations specifically, you start talking about what you’re doing, and they say, ‘Oh, I should have my information security guys here,’” David relates. “Information security is a part of this. But if you look at information security with privacy and you were to create a Venn diagram, there’s an overlap in the middle. But we’re seeing that security is really focused in on keeping bad guys out, whereas privacy and information governance are doing much more with the data that you have inside the business.”
“You have to assume that you have walls and things to keep people from accessing that data,” clarifies David. “But the data internally is also very risky, in terms of making sure that people who have access to it are only those who should have access to it. As opposed to new collaboration systems, which we’ve seen proliferate, especially during COVID, like Teams and others, where the primary work product that’s been done in the enterprise is being done in those applications. So very sensitive data is being loaded in there, managed in there, discussed in there, and that’s creating a whole new set of challenges from an information governance perspective that we didn’t see even 24 months ago.”
Key attributes of information governance
What are the key operational attributes of information governance, and how do they relate to security and privacy? John enumerates four critical areas:
- Classification, which touches on cybersecurity because some classes of data (e.g., controlled unclassified information (CUI) related to US federal government contracts) trigger special security requirements
- Retention, which may not be a direct InfoSec requirement but certainly has a major impact on the scope of data to be secured
- Data use, which is deeply related to core InfoSec areas like access control and identity management
- Disposition, which like retention has a big impact on security but relates more directly to privacy
If you’re concerned about risks to your brand due to information governance shortcomings, be sure to catch this podcast episode featuring David Gould.