Managing an organization’s data is often one of the most challenging aspects of IT security. In this video, you’ll learn about data governance, data classifications, and data retention policies.
If your organization is collecting data, then there needs to be a set of processes and procedures on how to manage this data. These rules, regulations, and accountability parameters ensure that the data will be used in the right way in your organization.
The person in charge of managing this data governance is the data Steward, this is the person who is responsible for data privacy, for making sure that the data is accurate and ensuring that all of the data remain secure. This is also the person or the group that will decide what type of sensitivity label is going to be associated with this data.
There’s often compliance regulations and laws that have to be followed depending on the type of data that you’re storing and the data governance process ensures that this data will be categorized and managed properly. Usually, there are a set of rules created internally on how to manage this data. And it’s important that everyone in the organization understand how the data should be used properly and how it should be secured.
The data Steward will look through the data and determine what labels are associated with these data types. So we’ll need to identify if the data is personal data, if it happens to be public information, or if this information should be restricted. By identifying these data types, the data Steward can ensure that the data is used properly and the data is secured properly.
Once the data type has been identified, the data steward can then apply the proper rules and procedures for that type of data. For example, there may be compliance laws associated with the data and if it is personal data or something that could be private to an individual and you happen to be in the European Union, it might fall under the GDPR, or the General Data Protection Regulation, which means that the data would be handled differently than if it was public data.
There might also be reasons for retaining data, especially data that might change often. This might even go beyond what is normally done with a daily or weekly backup. Very often the data retention process can save different versions of a file, sometimes over a number of days or weeks.
These data retention policies might also help us if we run into a virus infection. If we know that we’re retaining data at least 30 days old, then we have a window of time or we can discover whether a system may or may not have been infected. And we can roll back to a previous version of known good data.
And the decision for determining what data should be retained and for how long may not be in your hands at all, there may be legal requirements for storing this type of data. For example, in some environments, you have to keep emails for a certain number of years. Some industries require the different data is stored in different ways.
For example, a data type that contains corporate text information may have different rules and regulations than data that might be customers personally identifiable information. It’s important that the security team know exactly what type of data the organization might have, what the data retention policies are for the data, and that the processes are in place to maintain these data retention policies.