The Prime Minister commissioned the Cabinet Office in 2007 to review and assess procedures for the use and storage of data by and within government departments.
The ultimate goal was to reduce the risk of data misuse and loss, improve the quality of public services and minimize the incidences of theft and fraud, bringing the “right people to the right information.”
While the Data Protection Act and Human Rights Act provides the legal framework for governing data, the Cabinet, HM Treasury and Ministry of Justice set the guidance for managing information and providing assistance to meet those requirements.
However, the ultimate responsibility is with the individual departments and their agencies to enact the appropriate procedures and technologies to ensure these requirements are met.
The findings of the Cabinet Office and the guidance of requirements are delineated in the “Data Handling Procedures in Government: Final Report,” which was released on the 25th of June, 2008.
Who should comply
The report outlines how all departments and agencies that use and store personal data can follow a set of minimum requirements to safeguard their information and demonstrate continued compliance and, by extension, be held accountable to that effort. The Cabinet Office calls on departments to:
- Understand and manage information risk by identifying the key individuals responsible for information assets and setting their responsibilities
- Submit quarterly assessments of the confidentiality, integrity and availability of information
- Conduct mandatory training for all staff involved in handling personal data, with training taking place on appointment and reinforced annually
- Submit Privacy Impact Assessments when introducing new policy or processes that involve the use of personal data
- Submit information risk in Statements on Internal Control, which will be scrutinised by the National Audit Office and through spot checks by the Information Commissioner
- Provide annual reporting to Parliament on progress and the use of Information Charters which provide clarity to citizens about the use and handling of personal data
How unstructured data governance can help
Unstructured data governance provides a framework for meeting the “Mandatory Minimum Measures” as they apply to unstructured data – that is, the contents of file servers.
A comprehensive means for monitoring and protecting unstructured data ensures that access and use of sensitive and important personal data residing on file servers is automatically ratcheted down to need-to-know, and that use of sensitive data is continuously monitored so that organizations have an accurate audit of data use and user access behavior at all times.
In times past, managing file share data has been at worst, impossible, and at best, challenging, because file systems are decades-old technologies that were never intended to police and control access. Native means to control and monitor data use are highly manual and error prone.
Automating the process of managing and revoking data permissions is essential to reducing the risk associated with improper data use. Given the pace at which unstructured data is created, a system of data governance is imperative for organizations to comply with data handling initiatives and to successfully protect their valuable assets.
New innovations are emerging to help organizations gain control of their burgeoning stores of documents, spreadsheets and multimedia files. These software-based systems are helping actualize the tenets of data governance by offering a central means to control and protect unstructured data.
They work by gathering data, accessing event information from directories and file servers and analyzing it to determine rightful access based on business need.
So how do enterprises and organizations establish whether a vendor’s offering is a comprehensive system for data governance and right for them? If a solution is to furnish the means to protect and fully control file share data, all of the following questions must be answered yes.
Does the data governance technology:
- Protect data by recommending removal of overly permissive access controls?
- Restrict unstructured data access to those with a business need for that data?
- Track and monitor every user’s every file touch?
- Re-compute access controls to account for changes in roles and file server contents?
- Identify data business owners?
- Identify the most active data sets?
- Identify unused accounts and stale data sets?
- Provide a full report of data entitlements?
- Scale to support additional file servers and users without network changes?
But what if the approach you are considering only addresses some of the questions above?
The magnitude of the unstructured data protection problem grows exponentially every few months. Anything less than a comprehensive approach to monitor and control data use will not scale and may worsen the complexities of an already very costly and ineffectual effort.
Simply put, unstructured data decision-making, whether it is how to protect, preserve or audit information, cannot be accomplished without a complete framework for monitoring, controlling and restricting data use and access.
Varonis is provider of data governance products and was named a 2007 "Cool Vendor in Data Management and Integration" by Gartner