Podcast: Play in new window | Download (Duration: 8:40 — 11.9MB) | Embed
In this episode of Celero Spotlight, Celero’s Chief Information Security Officer, Matt Laba, joins us once again for Cyber Security Awareness Month to chat about data governance best practices.
Learn more about how data governance is an important part of your credit union’s overarching security strategy to keep corporate information protected.
The episode transcript can be found below.
Hi, I’m Jordan Smid, Director of Marketing at Celero.
Welcome back to Season 2 of Celero Spolight. In today’s episode, we’ll be continuing our cyber security awareness month podcast series by discussing data governance.
Once again, I’ll be chatting with Chief Information Security Officer at Celero, Matt Laba, to hear his expert knowledge on data governance. Let’s dive right in with our first question.
So, maybe you can tell us a little bit about what exactly is data governance?
So, data governance is quite a comprehensive area, you know, any company I’ve been at, it’s a fair bit of effort to do it properly. And really what data governance is, and the program you develop around data governance, you basically need to classify your data, manage your data — and management covers, kind of discovering, tagging, protecting, cleaning up the data — and then also putting in some kind of data loss prevention capabilities within your environment.
So again, the program itself is multiple steps. It’s quite broad, it’s a lot of work, it’s obviously, someone’s got to organize it, but in the end the entire company is involved, because everybody handles data day in and day out, and they need to understand how a company classifieds data, the policies around managing it, and just the ongoing processes of cleaning it up and protecting it, you know, day in and day out throughout the year.
So why do credit unions need data governance?
So that’s a great question. The goals of a data governance program, which every credit union and any company in the world should really, you know, think about, is you know, protecting your corporate data, especially confidential and sensitive data.
Back to the data classification schema I mentioned, you really need to understand your confidential and sensitive data classifier properly, and you need to protect that.
And you want to make sure you have minimal data leakage outside of your corporate environment, and obviously you want to protect all of the data from breaches by hackers.
So, why does a credit union need it?
Those are the main things you want to tackle, and in the end if you don’t understand your data, you don’t know how to classify it, and you don’t know what you’re protecting and how you’re protecting it.
There’s a high risk that it can get leaked out, and the company won’t have any idea that’s happening. If you classify it properly — you tag it properly, you put all the right security mechanisms around the more confidential or sensitive data — you have reduced that risk greatly, and that’s really in the end what you want to do and why a credit union need to take a data governance program seriously.
Look at the people, processes and tools around doing that.
Thanks Matt. So, what are the steps that credit unions should take to properly set up their data governance program?
It’s a great question.
The main thing to do is, again in establishing a program, is develop a high-level strategy — just kind of, what areas you’re going to tackle and how are you going to do it — and put an overall plan in place. And as I mentioned earlier, that plan and that strategy really needs to tackle upfront and before you do anything else, classifying your data.
You need to classify your data (and that could be like, public, versus internal use, versus confidential, versus restricted), and in those different categories you’d actually identify the key data areas of those categories.
For example, credit card data would probably be in restricted or confidential data. You know, personal information around, you know, privacy, people’s SIN numbers, and pay rates and things like that. That needs to be identified as, say, confidential as well. So that’s the very first step. You absolutely have to do that before you do anything else in the program.
Once you’ve done that, then you’ve got to put policies in place — whether it’s data at rest, data in transit, data retention, and data destructions — those are key processes you need to develop as a company, and those will all be, you know, dependent upon again, that classification scheme you’ve put in place.
So, you need to do all that, and doing all that plus the classification, you obviously need to educate and communicate that across the company.
That is important, because again, everybody needs to know this and everybody needs to buy into it, and they need management kind of, driving this so it’s accepted across the company.
Again, it’s a fair bit of work, but once you’ve done it, you know, you’re setting yourself up from a security perspective to reduce the risk of data leakage and data loss to hackers from outside world.
So, that’s the main things that a credit union needs to do. Now on top of all that, a couple other points is basically through all that, again, we talked about data discovery earlier, you can put tools in place to discover your data and tag it properly based on your classification schema.
Once you’ve kind of discovered your data, your critical data, you know, your sensitive and confidential information, is it in confidential folders or is it wide out in the open? So, you know part of the discovery and the tools can help you there to protect your data.
So, if you’ve got a bunch of confidential data in open folders, you need to move those or make those folders secured, and you know data protection is important there as well. And data cleanup, again, do you have any old files past data retention policies? Do you have old files that no longer need to be around?
You know, don’t be a hoarder, get rid of that stuff. It’s actually a liability for a company to have files and folders beyond the retention policy dates.
So, say for example, financials beyond seven years, you know, don’t keep it for 20 years, that’s something that should be cleaned out and removed.
So again, all those areas are critical in a data governance program for any credit union.
That’s great advice for a credit union Matt, what is Celero doing to enhance their data governance strategy?
So, we have a 2021 security program underway which we are tackling multiple security areas based on a security assessment we’ve done earlier in the year.
You know, basically tackling the higher risk areas. Again, data leakage is one of the key areas that we definitely want to tackle to make sure we’ve got all the protection, all the security controls.
Again, the people, processes and tools in place to really protect our data, you know, give our management and our board confidence, give the credit unions’ management boards’ confidence that any data that we protect and house in our environment is properly protected.
So, we have again, a multi-phased data governance project within our security program — it’s one of our bigger projects — and basically everything I talked about earlier in the podcast and the questions asked, we are doing all those steps. So we are doing a proper data classification, getting that ratified by management.
Actually, that’s already done. We are putting in all the right tools, we’ve had some tools in for the last few years, we are enhancing those tools, we’re making better use of the tools to do the (like I said earlier), the discovery, the tagging and the protection and automating all that. We’re also putting alerting and monitoring in, and auditing in, so we can track all the events going on.
So, if someone actually enters and puts a file with credit card data in a folder that’s not protected, we’ll get an alert or, you know, an email monitoring that situation and then we can react to it.
And again, the last step we’re doing is a data loss prevention tool (DLP tool), so we will put a DLP tool in the environment, based again, on those data classification criteria, probably again, the sensitive and confidential information. And make sure data in those categories is not leaving the company, so we will stop it and we will, you know, react to it and follow up on someone trying to send it out.
Now, there might be valid cases and those need to go through, but for the most part we want to make sure that no confidential or sensitive information is leaving the environment, and we’ll stop that.
And you know, maybe it’s just a reminder and training to the individual, but it could be a real hacker trying to move data out that we are stopping.
So, that’s a bunch of steps that’s part of our security projects and program this year is quite comprehensive.
We’re well underway, and you know, by the end of this year we tend to have most of the big phase one done, and now obviously that’s an ongoing program year in and year out, so more will continue into 2022.
Great thanks Matt. And if anybody wants to get in touch with Celero to learn about how they can improve their cyber security posture or data governance specifically, what’s the best way to get in touch?
So, the best way to get in touch if you need some help and guidance around your data governance program is to go through your account rep with Celero.
That individual will then contact probably myself, and I’ll bring in the experts on our teams as needed, and we’ll do any kind of consulting advice needed for the credit unions to help guide them down their data governance path.
We’ve already done that with a couple of credit unions, and they’ve appreciated it. It’s been quite helpful, and obviously we’re expecting more requests coming in from other credit union to help them.
And it’s a complex category where, you know, companies have never tackled something like this before, and they absolutely do need the right guidance and help to develop their strategy and plan.
Excellent, thanks Matt.
We really appreciate hearing from an expert on such an important topic like data governance.
Thank you very much.