Gain full visibility across your data landscape, find meaning in your data and improve the quality of business decisions.
Discover and download solutions and pre-built integrations for the Collibra Platform.
Get unparalleled value through the combined expertise and unique strengths of our people and technology.
See how security plays a key role in everything from how we build and deliver our platform to how we hire and train employees.
Collibra Privacy & Risk
Discover and understand data that matters so you can generate impactful insights that drive business value.
Understand your ever-growing amount of data in a way that scales with growth and change.
Show how data sets are built, aggregated, sourced and used, providing complete, end-to-end lineage visualization.
Build customer trust by operationalizing privacy policies and scaling compliance across new regulations.
Modernize your operations with a solution that is scalable, accessible and resilient: data in the cloud.
Drive digital growth and customer engagement by breaking down data silos and adding value to customer interactions.
Fuel your self-services analytics with the right data to develop unique business insights.
Innovate for the future while successfully navigating the complex web of regulations.
Transform decision making in the public sector with secure Data Intelligence that is FedRAMP Authorized.
Cloud ready data
Government and public sector
Tap into our knowledge base by connecting, sharing and learning from your peers in our Data Citizens community.
See how Collibra is helping global organizations unlock the value of their data.
Find the resources you need to accelerate time to value and fuel your growth.
Learn from the leaders in Data Intelligence through our individual courses, learning paths, and certification programs.
Data Citizens '20
Take your data strategy to the next level by arming yourself with the knowledge you need to achieve Data Intelligence.
Get advice, tips and tricks from our product experts and industry thought leaders to learn how to make your data meaningful.
Join the world’s largest virtual gathering of professionals focused on empowering businesses to deliver on strategic goals through Data Intelligence.
Check our upcoming events calendar to discover exciting opportunities to learn from our product and industry experts.
Connect the right data, insights, algorithms and people to optimize processes, increase efficiency and drive innovation.
Read our latest announcements, news coverage and thought leadership articles.
Find an opportunity to challenge and be challenged, and work with some of the most talented people in the business.
Get in touch with a member of our global team by locating an office near you, calling us or sending an email.
Every board member of every company is concerned about data breaches. No executive wants to see their logo (let alone their face) on the news next to a major headline about leaked fingerprints or credit card details. However, not many board members understand the technical aspects of securing data. Getting a firm-wide view and grip on data protection is difficult, yet necessary, more than ever before. New regulations such as the General Data Protection Regulation (GDPR) make data protection even more complex. It’s no longer just about finding data and making sure its secure. It’s about capturing the context of data and being able to prove everything is being done to protect the subject’s data and the rights of the subject itself.
As Chiara Rustici points out in a recent article:
“If your colleagues who do most of the data collection don’t appreciate it’s who the data is about, not where the data lives that matters for the GDPR, you may end up spending a lot of your cyber security budget to defend data that should not have been collected.”
In this blog post, we’ll outline the steps it takes to get an enterprise data protection program going by leveraging core data governance principles. These steps close the gap between the board, who have a huge stake in getting the right data protection measures in place, and the IT functions who are busy with geo-fencing, masking, and other physical protection measures. These guidelines will form the base for a data protection framework that is ready to support the concept of Crown Jewels, GDPR, and more.
1. Identify Business Data Owners
One of the most crucial changes that data governance brings to an organization is the recognition of data owners within the business (data citizens). It’s these owners that will also play a key role in establishing our data protection program. After all, they are the best source to know what critical data is being stored and processed. There might already be a list of applications in your organization or you might have to ask each data citizen to register each application/data store or data processing activity.
The end result will be a register of all applications, their context, and the data citizens that use them.
2. Define a Taxonomy of Sensitive Data Elements
At the core of the data protection program, you’ll have a taxonomy of critical or sensitive data elements (SDE). Elements such as fingerprints, customer contact information, social security number, or employee background checks. It’s from this taxonomy that each data citizen will pick assets that they use within their application or processing activity, together with other pieces of context such as the purpose, location, and more.
In this taxonomy, each SDE will have an assigned classification, for example:
3. Assign Compliance Controls
Based on the assigned data elements and their classification, each governed application will get a policy (ie public, internal, confidential) and risk type assigned. With this assignment comes a set of security and compliance controls ideally owned and governed by the Data Protection Office(r) (DPO). These controls will be very different for public data than for restricted data. Each control is managed within the governance function together with expected answers.
By pushing these control questions in questionnaires to the business owners, you can get their assessment of what controls are in place and which ones are lacking. Alternatively, you might want to use your GRC tool for this.
4. Tracking Gaps and Breaches, No Matter How Small
After this exercise, you’ll end up with a baseline view of what applications or processing activities are most at risk and what type of risk is involved. Each item of non-compliance becomes a gap, a data issue where the data owner needs to work with the Chief Information Security Officer (CISO) and security managers to put in place the right controls. This is where the actual protection comes in: what data will we encrypt? What will we geo-fence? What should not be on-line at all? Do we keep data longer than we should? Where should we ask for consent to our users?
Aside from these gaps we can start tracking data breaches or infractions – no matter how small – per application so we can start seeing the relations between incidents and the impact they might have on LOB’s, business owners and risk types. Prevention in the end is the ultimate goal.
“… It is also important for organizations to try and spot trends in any data problems that occur, and to not just record issues separately. Otherwise there will be a risk that each incident will be seen as unique, rather than having common root causes – which can then be rectified and solve the entire issue.“
Christine Andrews of DQM GRC.
5. Reporting Back to the Board
It will be the responsibility of the data governance council to use the heat maps and KPI’s coming out of our continuous collaboration and monitoring efforts to update the board. A 360-degree view of all critical applications and their assets, linked to the lines of business with indications of gaps and risks will be a huge differentiator to keep them well informed on their level. Apply stewardship to this and we have a data protection framework that reflects the living body of our business.
The days where ‘keeping threats outside of your network’ was enough are over. The biggest leaks and risks originate from within an organization. Data is the prize and needs to be protected from within. A proper data governance framework will prove to to be the foundation needed for any successful cyber security program.
Koen is responsible for delivering real-world data governance solutions to the problems raised by different regulations such as BCBS239, Solvency II, and GDPR. Before joining Collibra, he worked as principal consultant for Wolters Kluwer Financial Services and Financial Architects on Basel, Compliance, and Solvency projects worldwide.
No results for this post
© 2020 Collibra. All Rights Reserved.
A message to our Collibra community on COVID-19. Read more from our CEO.