Data governance and the security industry

June 2017 Information Security, Infrastructure, Security Services & Risk Management

So how does all the talk about data governance and data protection impact the security industry? Or does it? Surely these are issues IT departments and risk managers need to take care of; security has enough on its plate already.

Unfortunately, data governance and protection has rapidly become a security issue, not only in terms of IT security, but also physical security. The data physical security operations collect is as sensitive as any other and needs the same protection. Moreover, there are new regulations that impact how security operators can collect, use and store personal data, regulations many are not paying attention to even though they could be in the firing line if something goes wrong.

And let’s face it, something will go wrong. Events of the past months have shown that data security is something very tenuous and there is always someone able to weasel their way into what others consider a secure environment. It’s time the physical security industry steps up to the plate and starts taking responsibility for the data it collects. The rules and plans to follow match those of other companies and departments, even though there may be different types of data collected (in some instances).

We know that the security industry today does more than just collect data; the new trends are about what you do with it through analysis and predictive applications. Unfortunately, the how and why it is collected, stored and protected has also become an issue your security managers need to deal with.

So, with King IV and PoPI addressing data governance, risk and security, Hi-Tech Security Solutions asked what this means in a broad sense for data security in the real world. Instead of taking a look at the intricate details, something many others have done, we look at it from the perspective of a security or operations person who needs to understand their organisation’s responsibilities in this regard.

We asked a range of people with different credentials for their take on data governance. Our interviewees are:

• Claude Schuck, regional manager for Africa, Veeam,

• John Mc Loughlin, MD, J2 Software,

• Neil Cosser, identity & data protection manager for Africa, Gemalto,

• Paul Williams, country manager, southern Africa, Fortinet,

• Sagan Pillay, security solution strategist, CA Southern Africa, and

• Wayne Clarke, MD, Metrofile Records Management.

Hi-Tech Security Solutions: Starting off, what does ‘data governance’ mean?

Claude Schuck, regional manager for Africa, Veeam.
Claude Schuck, regional manager for Africa, Veeam.

Schuck: It means the protection of a company and its customers’ intellectual property. A company has data that is specific to its organisation and it is important to protect that data. In addition, the company’s data and that of its customers can be linked to revenue and that is why the governance around data is so important.

However, if a company is unable to protect its customers’ data, which can include their preferences and their credit card details, the business cost is more than lost revenue.

Data loss and downtime are causing businesses to face public scrutiny in ways that cannot be measured by a balance sheet. The 2017 Veeam Availability Report shows that almost half of enterprises see a loss of customer confidence, and 40% experienced damage to brand integrity, which affect both brand reputation and customer retention. Looking at internal implications, a third of respondents see diminished employee confidence and 28% have experienced a diversion of project resources to ‘clean up the mess’.

Paul Williams, country manager, southern Africa, Fortinet.
Paul Williams, country manager, southern Africa, Fortinet.

Williams: Data governance covers the management and protection of data across the entire ecosystem – from data collection, to its movement through networks, to storage and the eventual destruction of data. Poor management at any stage – for example in emails between colleagues within the organisation – could result in leaks. Local CIOs, CISOs, risk managers and legal specialists are well aware of these risks and are taking measures to secure their valuable data at every stage of the data lifecycle.

Data flowing ‘north-south’ (in and out of the enterprise) is not the only area that requires focus. East-west data flow must also be protected and controlled. For example, when data moves between servers within an organisation, it could be at risk if a malware has been introduced somewhere within the network. Employees collaborating on shared documents or emailing copies of information to each other could also put data at risk without effective protection and governance rules in place.

Sagan Pillay, security solution strategist, CA Southern Africa.
Sagan Pillay, security solution strategist, CA Southern Africa.

Pillay: Data governance refers to a set of comprehensive processes for managing who owns data, who can access data and what they do with it. This set of processes define the availability, integrity and security of data governance and protection. The term is also used in a different context when referring to the governing body that reviews and enforces the controls required to classify and protect the organisation’s sensitive data.

Wayne Clarke, MD, Metrofile Records Management.
Wayne Clarke, MD, Metrofile Records Management.

Clarke: Per King IV, principle 12: “The governing body should govern technology and information in a way that supports the organisation setting and achieving its strategic objectives”. King IV further defines information as “all data, records and knowledge in electronic or any other format, which form part of the intellectual capital used, transformed or produced by the organisation.”

Data governance, in our opinion, is therefore the way the governing body of a company governs the information of that company in order to set and achieve its strategic objectives. This places data and information on the board agenda of any company, irrespective of the size.

Hi-Tech Security Solutions: What are the primary elements of a data governance strategy?

Schuck: We approach it as follows:

• Data segmentation – separate company data from the personal data of employees.

• Complete visibility – know where all organisational data is stored.

• Data access – know who is accessing data and ensure that what is being accessed is as planned, even by authorised mechanisms.

• Avoid data loss – manage the resiliency and retention of data, particularly off-site.

• High-speed recovery – ensure data is available and retrievable.

• Unknown capabilities – leverage data to help avoid outages, use it for simulations and as a test bed.

John Mc Loughlin, MD, J2 Software.
John Mc Loughlin, MD, J2 Software.

Mc Loughlin: The primary elements would firstly be to get a common understanding of what data governance means to your organisation in relation to your operating model, culture and business layout. Your data governance strategy must provide the framework for how data is gathered, stored, accessed, used and protected, while in use, plus the methods by which data is then archived and/or destroyed. You would also need to understand your rationale in having the data and how it will be managed and monitored to ensure compliance to the framework created in your strategy. The data governance strategy can also touch on how it interacts with other policies in the event of a data breach or disaster.

It is our view that organisations cannot continue to apply the same defence principles of the last 15 years to stop the modern day threats and their variations. Research proves that more businesses are being successfully attacked than ever before. Traditional approaches no longer provide enough coverage.

Williams: Effective data governance begins with a full audit of how data moves through the organisation, the categorisation of data by levels of security required and the setting of clear rules about access rights within the organisation, this will vary in different business verticals and the type of data sets in their business, this is known as DLP – Data Loss Prevention. See more information on DLP: http://docs.fortinet.com/uploaded/files/1118/inside-fortios-dlp-50.pdf

Pillay: When defining a data governance strategy, many organisations will embark on a data classification exercise to understand what data is critical or sensitive to both the company and its customers. Often, in the past, this has proven to be a time and cost intensive exercise. In a fast-paced digital transformation age, classification exercises are unable to keep up the with the rate at which organisations expose data to users and consumers through the Internet and mobile.

Therefore, when defining a strategy, the key questions to ask are:

• Who owns the data?

• Where is the data stored?

• What are the methods used to access the data?

• Who can access the data?

• Who should access the data?

• What impact does the data have on the organisation should it fall into the wrong hands?

This is the foundation for establishing the standards and policies to manage the processes and technologies that protect data and manage access to it ensuring only the authorised individual can view data.

Clarke: For most companies today, information is at the core of their business, and managing it effectively is fundamental to their success. Some of the challenges they face include the management of data as it is generated, the archiving of data, and the ease of access to both current and archived information. Effective records and information management (RIM) can enhance operational efficiency, improve customer relationship management and support business development.

Businesses need to organise their records and information like assets, using management systems that are created with the potential value of each asset in mind. The primary elements of a data governance strategy is accountability, protection, availability, integrity, compliance,

retention, transparency and disposal of information.

Hi-Tech Security Solutions: Why is or will data governance be important to PoPI compliance once the legislation is in effect in 2018?

Schuck: PoPI is adding to the pressure to govern data as it drives data compliance and availability. Companies are required to have an effective business continuity plan in place to safeguard data from loss, theft, or compromise.

Complying with PoPI results in a knock-on effect for business continuity as the company must not only ensure that its systems are up and running as quickly as possible, but that its business continuity and disaster recovery plans are cognisant of how data, specifically that of customers, is stored and recovered.

Mc Loughlin: The legislation calls for effective protection of personal information, this is an integral part of a good data governance strategy. Without a sound data governance framework and monitoring of compliance adherence, a business and its responsible people can open themselves up to large fines and in the case of negligence, possible gaol time – now that’s a sobering thought.

Williams: Any company that has not yet done so must start taking the bull by the horns and adapt to the PoPI model which is a framework. In this framework, each business vertical can adapt their data and corporate governance accordingly. They need to start understanding the Act and take a closer look at their existing data governance, data flow and how effectively they are managing, storing and securing the data.

Clarke: One of the key pieces of legislation that will impact data governance in South Africa is the Protection of Personal Information Act (PoPI). PoPI defines personal information as “information relating to an identifiable, living natural person, and where it is applicable, an identifiable, existing juristic person”. A person is further defined as “a natural person or a juristic person”.

The way information about any natural or juristic person is governed will have to comply with PoPI once fully in force in 2018. As mentioned above, one of the primary elements of a data governance strategy is compliance. A business’s data governance strategy will therefore have to take into account compliance with the conditions of PoPI. Compliance will require well-established systems, storage facilities and disposal schedules of which few companies have the internal resources to handle.

Hi-Tech Security Solutions: When it comes to data security, what data needs to be protected according to PoPI and what does it mean to be protected or secured?

Schuck: Section 19 of PoPI deals with security safeguards, and says organisations must take appropriate measures to protect personal information against loss, damage or unauthorised destruction and unlawful access or processing. It further states that the responsible party must take measures to identify risks, maintain safeguards, and ensure that these safeguards are continually updated in response to any new threats.

The responsibility therefore lies with the business to keep its security and data protection up to date and to make sure anybody who handles data on its behalf does the same. Additionally, as the responsible party, the onus is on the organisation to ensure its suppliers comply with the requirements of the Act.

Mc Loughlin: Personal information is any piece of information which can identify an individual and which is not available in the public domain. This information will differ from business to business. To say that this information is protected you will need to make sure that you know: where the data is, who is accessing it, and how it is moving in and around your environment. It will not help you to have a fully encrypted hard drive but then have staff send data to cloud sharing services such as Dropbox, or copy the information to unencrypted USB drives. Without visibility on real activity and movement of data by users (operators) of the information, you simply cannot say that all personal information is protected. Encryption is one layer in the protection of data, visibility of information movement is what will protect you.

Neil Cosser, identity & data protection manager for Africa, Gemalto.
Neil Cosser, identity & data protection manager for Africa, Gemalto.

Cosser: The most important aspect is to protect any data that can be used to identify an individual. Protection of this data would include restricting access to it by adding a second factor of authentication to improve and strengthen security levels. Two-factor authentication uses two or more different forms of identity verification – usually something you know (password or PIN) in combination with something you have (smart card or token). It’s an access strategy that provides users with secure access to a network, system or web service, anywhere and at any time.

The simple fact is, no matter how complicated you make it, there is no such thing as a safe static password. A password that does not change carries with it the risk of being hacked as a hacker can easily determine your password using methods like social engineering. Organisations that handle customer data owe it to their customers to add that extra layer of protection and roll-out more robust two-factor methods including one-time passwords. Until this happens, we’ll continue to see regular security breaches at companies that rely on outdated protection methods.

The next priority would be to ensure that when the inevitable happens and an organisation is breached, the data is encrypted thereby rendering the data useless to hackers or unauthorised users. It is unlikely that PoPI will mandate any specific process to secure data, but that being said, the most robust mechanism for securing data in its own right is through encryption itself. Standards like PCI DSS (Payment Card Industry Data Security Standard) mandate encryption and PoPI will point to those standards for direction regarding specific data types.

Finally, encrypted data is only as secure as the keys used to encrypt it. One of the most common mistakes that organisations make is storing the keys where their data resides, which can still expose sensitive information to significant risk. A crypto management platform factors in key management and provides additional trust anchors for encryption keys using hardware security modules.

Pillay: There are eight conditions in PoPI that are compulsory for compliance when processing personal information, namely: accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards and participation by the data subject – that is the individual or entity to whom the personal information relates.

Hi-Tech Security Solutions: How can a company be sure it has secured its data in the age of the Internet where everything seems to be vulnerable?

Schuck: All data that is subject to a cloud or service-provider technology should be encrypted, in fact, encryption should be a fundamental requirement for any organisation considering a cloud solution. A broad rule like this can protect the confidentiality of data that matters, but also ensures that the unforeseen sensitive data put into a cloud is also protected.

The biggest challenge that any organisation faces, is controlling data on the end device. How are users, as employees of a company, looking after that data, consuming and storing it? How can a company control the end device and the data stored on it if the employee leaves the organisation? It is the human element. It is easy to manage a central point in terms of data that flows through it, but it is very difficult to manage individuals and control the access they have and don’t have. The endpoint, the user, is the problem.

However, the basic tenets of security remain. Having a security policy in place that is cognisant of devices and reflects accessibility on a per-user level is taking great strides in effectively protecting data. A vital step in any security policy involves user education, if employees do not understand the risks or consequences of losing corporate data, then the best systems in the world mean nothing.

Mc Loughlin: As above, visibility is the only way to make sure that everything is secured. Without real visibility, on and off the network, you are just guessing. In a recent case a senior management member at one of our clients was working with various customer lists – this individual kept the data in the correct folders and never installed a single piece of software. This person simply went to Google and while logged in to their Google account, clicked on the Drive icon and in a matter of seconds did a sync of the entire folder.

If we had not provided visibility to our client, the data would be lost forever and they would have no idea that it was even gone. This would have breached the terms of PoPI legislation and our client would have been blind to the breach. Instead armed with visibility, the data breach was remediated and the offending manager was relieved of duties within an hour.

Cosser: Companies should adopt a data-centric approach to security. Today’s security strategies are dominated by a singular focus on breach prevention that includes firewalls, antivirus, threat detection and monitoring.

But, if history has taught us anything, it is that walls are eventually breached and made obsolete. Security teams need to make a fundamental shift in mentality from ‘breach prevention’ to ‘breach acceptance’. In other words, they believe that a breach is inevitable and, rather than focusing efforts on keeping hackers out of the network, they’re focused on strategies that protect important data once they’re in. This is because hackers are more adept than ever before, and will try all avenues to enter corporate networks.

It’s therefore imperative that a bigger focus is placed on the data that organisations are trying to protect rather than the networking infrastructure used to transport it. Many high profile breaches from the last two years have had damaging consequences for the company affected, and all because customer data was not encrypted. Look at the recent Three mobile hack – hackers were able to gain access to customer data to fraudulently claim over 400 high value mobile handsets. If this data had been encrypted, the company, and the customers affected, would have been safe.

Pillay: Cyber criminals are hard at work finding new ways to intercept businesses data so one can never be sure of protection. However, it is possible to reduce the risk of data breaches by ensuring there is a comprehensive data governance strategy in place. Managing access to data and making sure data is encrypted in transit will reduce risk significantly. It is important that technical processes such as ‘de-identification’ or ‘data masking’ techniques are applied appropriately. In other words, only the intended and authorised user should be able to see the data they are authorised to see.

Clarke: All businesses should perform a detailed data flow of where information is generated (whether physical information or electronic), how it moves through the organisation, where it is stored and how it is destroyed (once the retention period has expired). After this, an assessment of where data could potentially be accessed should be performed. All potential access points should be documented and the necessary controls should be implemented to only allow for authorised access and to ensure that the information can be protected against loss, damage or unauthorised destruction.

Hi-Tech Security Solutions: In general, what advice would you give companies that have not yet started PoPI preparations?

Schuck: Companies must fast-forward to the answer first. They should ask: what is the outcome of the Act, what do we have to provide, what do we have to protect and work backwards from that point.

Most businesses have some form of data protection on hand. Perhaps it is just a tweak of the processes to ensure that data is always available and secure and to make sure that retention policies are in place. The biggest headache is to look after endpoint devices, some organisations have 30 000 users, those organisations will have to tread very carefully to make sure they are compliant.

The traditional way of looking at this would be to simply have backups in place. Yet, these are worthless unless the business can actually restore from them. This necessitates the regular testing of each file and to ensure that backups are encrypted and kept in secure locations whether in the cloud, on premise, or a combination of the two.

This is where the 3-2-1 backup rule comes to the fore which states you need to have three copies of your data, stored on two different media types, with one being offsite. Following this approach, enables the business to take a vital step towards compliance.

Mc Loughlin: I believe that without real visibility of activity you cannot say you are protected or compliant. My first piece of advice is to start – all too often there is so much talking that nothing actually gets done.

Cosser: PoPI may not be rigidly enforceable yet, but companies are like large container ships and do not make quick turns. In order to be ready, companies need to start taking steps now and change their security mindset about protecting customer data.

The signs for taking action are obvious. It’s clear that being breached is not a question of ‘if’ but ‘when’. Companies should move away from the traditional strategy of focusing on breach prevention, and move towards a ‘secure breach’ approach. This means accepting that breaches happen and using best practice data protection to guarantee that data is effectively useless when it falls into unauthorised hands. Traditional approaches to data security do not work anymore, and if companies don’t wake up to this new reality soon, the consumer revolt will come.

Pillay: It is important to engage with a security partner who understands PoPI requirements and will be able to guide the organisation to address the areas of risk identified in the business and ensure compliance with the legislative requirements. Companies may also approach The Information Regulator, this is the body established by the PoPI Act. The Information Regulator runs education programmes for promoting the protection of personal information. It also monitors and enforces compliance by public and private bodies through the provisions of the Act.

Clarke: Effective Records and Information Management is a legal requirement, as well as a key governance aspect. Converting any company’s records and information systems to reach a state of compliance, is a long and expensive process, which is why organisations realistically require a multi-year time frame. That said, it is not impossible for a company to reach a state of compliance within a shorter time frame.

It is key to create a PoPI compliance roadmap. The first step is to start classifying the information that is kept by the organisation. Then, conduct a review of the company’s processes used to collect, record, store, disseminate and destroy personal information. The results of this review should be used to make an initial assessment of where information is at risk or is being duplicated. The next step is to create your company’s PoPI compliance roadmap in order to ensure that your company is ready once the Act is fully in force.



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Understanding the power of digital identity
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
The way we perceive business flourishing is undergoing a paradigm shift, as digital identity and consumer consent redefine the dynamics of transactions, says Shanaaz Trethewey.

Read more...
From the editor's desk: Securing your secure access
Technews Publishing News & Events
      Welcome to SMART Security Solutions’ first print publication of the year, the SMART Access & Identity Handbook 2024. In this issue, we cover various issues relevant to this industry, from digital to ...

Read more...
Access & identity expectations for 2024
Technews Publishing IDEMIA ZKTeco Gallagher Salto Systems Africa Regal Distributors SA Reditron Editor's Choice Access Control & Identity Management Information Security AI & Data Analytics
What does 2024 have in store for the access and identity industry? SMART Security Solutions asked several industry players for their brief thoughts on what they expect this year.

Read more...
International access manufacturer sets up shop in SA
Technews Publishing Access Control & Identity Management News & Events Products & Solutions
The South African security market can always use some good news, and this year, STid has obliged by formally entering the South African market, setting up its main office in the Boomgate Experience Centre in Roodepoort, Johannesburg.

Read more...
What you can expect from digital identity in 2024
Access Control & Identity Management Security Services & Risk Management
As biometric identity becomes a central tenet in secure access to finance, government, telecommunications, healthcare services and more, 2024 is expected to be a year where biometrics evolve and important regulatory conversations occur.

Read more...
Access and identity in 2024
Technews Publishing Gallagher HID Global IDEMIA Ideco Biometrics Enkulu Technologies neaMetrics Editor's Choice Access Control & Identity Management Integrated Solutions
SMART Security Solutions hosted a round table discussion with various players in the access and identity market, to find out what they experienced in the last year, as well as their expectations for 2024.

Read more...
The promise of mobile credentials
Technews Publishing Suprema neaMetrics HID Global Editor's Choice Access Control & Identity Management IoT & Automation
SMART Security Solutions examines the advantages and disadvantages of mobile credentials in a market dominated by cards and fobs, in which biometrics is viewed as a secure alternative.

Read more...
Cloud-based access control systems
Technews Publishing Salto Systems Africa Access Control & Identity Management
Cloud-based access control systems are finding greater acceptance in international organisations than in SA; SMART Security Solutions asked SALTO Systems for its take on the benefits of cloud.

Read more...
Prepare for cyber-physical attacks
Gallagher Information Security Access Control & Identity Management
As the security landscape continues to evolve, organisations must fortify their security solutions to embrace the changing needs of the security and technology industries. Nowhere is this more present than with regard to cybersecurity.

Read more...
Zero Trust and user fatigue
Access Control & Identity Management Information Security
Paul Meyer, Security Solutions Executive, iOCO OpenText, says implementing Zero Trust and enforcing it can create user fatigue, which only leads to carelessness and a couldn’t care attitude.

Read more...