At first glance it may not seem apparent that data governance has much to do with security posters in the halls of your enterprise. At second glance it also is not apparent; which is why I am writing this piece. They are connected and Data Governance can make it better.
First, Data Governance (with capital letters indicating a program in your enterprise) must cover the entire risk landscape to be effective. The risk landscape is your network environment, your web servers, your data centers (or data centres in England) and the equipment carried by the people who will access your information. We are talking about authorized access, not the other kind.
Workers (employees, contractors, outsourcers, and that new guy down in shipping) all have some sort of access authorization to your information. Naturally, there are limits to this authorization and a number of safeguards within your network to keep the bad guys out. That’s well and good. But!
If a worker does something foolish with the computer they carry around, such as download a game from the Internet, or plug in a USB stick they found in the parking lot, or even click on a link in an email that promised them a chance to win a free set of Elvis Costello CDs, they may have allowed malware to enter their computer. Some of this malware is very new, very stealthy, and may not be picked up readily by the resident antivirus program. You see, (truth alert!) antivirus programs are very good but not perfect. In that narrow gap lie Trojans (programs that look like horses); Keyloggers (copy your keystrokes and email them to Elbownia), and resident evil. (Not the movie.)
Resident evil would be a class of malware (“evil programs” if you did not study Latin.) that just sits and scans with no action taken until a specific set of circumstances causes it to make its move. An evil “helper” program in your web browser might only scan your text entry for one specific URL. If you never type it in the program never does anything. If you do type it in, the program slips in some extra code of its own when you hit the “enter” key and you are then “owned” by another party henceforth. They are working on your machine unbeknownst to you. Once there, they can use a great number of tricks to escalate authorization to steal data.
So it pays to keep the workers informed of computer dangers and limit their risky and ill-considered behavior. Workers need continual reminding and training. Each new worker needs to learn it all from the start. This is a sustained process that never ends because new and clever attacks are always appearing. The posters are certainly not sufficient, but they provide a highly visible reminder.
Further, if Governance supports it, the security folks will have the budget to change them each month (a good idea) because it informs all workers that somebody in the company believes this is very important. When the posters stop changing, it signals that the danger is past because management no longer cares. Keep the posters up, keep them changing, and integrate them into an overall Information Governance security training program. Oh, and don’t click on strange email links.
Great point, David. We need to cover all three dimensions of governing data: people, process and systems. We often spend to much time focusing on the technology part, the tool-centric touch points. You offer a great example of a simple but effective non-technical control that nicely addresses the people-centric dimension.