For the past decade or so, organizations have taken a growing interest in adopting policies and practices for data governance, often embodied as the hiring of a chief data officer and introducing tools and techniques for ensuring the usability of the corporate information asset. There are different aspects of data governance, but the most significant effort is typically invested in data quality management, metadata management, data cataloging, data accessibility, and other facets of data management.
An interesting byproduct of this raised awareness about data governance practices for data management is a growing recognition of the ways that data policies support lesser-known areas of information creation and use. For example, an emerging area of interest for data governance involves compliance with imposed policies related to data oversight.
One such policy is consent management overseeing how personal data sets are used, driven by data privacy laws. Correspondingly, an additional data governance driver is the implementation of data policies employed to assure against unauthorized exposure of sensitive information, associated with data security and protection. As organizations continue migrating their applications away from on-premises platforms to the cloud, there are data governance mandates for guiding data modernization and migration projects to make sure they enable continuous correct operation.
All of these data governance topic areas share one common characteristic: the need to impose oversight to prevent negative business consequences that can result from data “mismanagement,” such as missed sales related to incorrect product pricing data, government fines for misusing a customer’s private data or exposure of corporate intellectual property. Identifying the potential negative business consequences related to potential threats to sound data management practices provides a more robust foundation for the future of data governance. The “governance” of data is really just a component of a comprehensive framework for managing information risk.
If risk is defined as “the potential for uncontrolled loss of something of value,” then we can informally define information risk as “the potential for uncontrolled loss of value as a result of ungoverned information.” This definition easily maps to our examples: unknown loss of revenue resulting from incorrect data, the fines resulting from mismanaged customer consent data, and unmeasured loss associated with exposed intellectual property.
For the purposes of information risk awareness, we can adopt the following definitions:
- A consequence is a measurable effect of some action or situation. For example, a government-imposed fine is a negative consequence of misusing a customer’s private data.
- A vulnerability is a weakness in the environment that can be exploited or that allows an undesired situation to take place that can lead to the negative outcomes and corresponding negative consequences. To continue the example, the absence of a system for managing customer consent is a vulnerability that allows for the misuse of private customer data.
- A threat is anything (event, individual, system, action, occurrence, etc.) that has the potential to exploit a vulnerability and lead to negative consequences.
Risk is a function of threats, vulnerabilities, and consequences. More to the point, an information risk is the probability of a threat exploiting a vulnerability multiplied by the consequences.
Information risk awareness is a process of identifying where there are potential risks and involves:
- Identifying and cataloging critical corporate information assets.
- Identifying and cataloging data processes.
- Surfacing the vulnerabilities associated with an information asset or data process.
- Determining any potential threats that can exploit the vulnerabilities.
- Identifying and characterizing the loss of value associated with consequences of the threat.
Returning to our example, we might identify “private customer data” as a critical information asset, and the process of extracting customer data and providing it to a trading partner is a critical data process. The inability to validate that a customer has provided consent for data sharing is an identified vulnerability, and the threat is that any customers who would not consent to sharing find out that their private data has been shared and alert the government authorities. The consequences of that threat is that there would be a fine associated with each customer data exposure.
Note that information risk awareness is not the same as information risk management, nor is it the same as information risk mitigation.
Information risk management involves the estimation of the overall loss potential associated with each identified threat, and then prioritizing the allocation of resources in relation to the perceived scale of the potential loss. Information risk mitigation is the application of resources to reduce the impact of the threats that have already occurred or, better yet, eliminate the vulnerabilities and consequently eliminate the threat.
Awareness is the first step, and we will continue to explore how data governance can be applied to managing information risk in upcoming columns.