While the basics that make up the lifecycle of data management have been around for a very long time, the basics of cybersecurity are new. The following components of data governance are the foundation for these basics:
The reason why we may not see these fundamental components being properly handled is that there is typically an emphasis placed on innovation and digital transformation, rather than the reliance on testing and checking. Therefore, these components are put in place in case of a crisis.
Ransomware falls under the risk mitigation and issues remediation layer and data governance is a strong, supportive layer that can help prevent the effects of ransomware. Data governance can do this by virtue of meeting the large needs of disaster recovery, business continuity planning, records management, and meeting the needs of the retention schedule.
On the recession recovery layer, data governance helps meet the needs by attempting to govern and control the testing of the backups, ensure that the right data is also being backed up, that there is proper evaluation of that data, that the categorization and catalog of that data has been in place, and asset inventory shows exactly where that data is at any given point, as well as it’s condition after recovery. This happens through controls that are put in place through data governance.
Business continuity planning is about knowing what needs to remain up and running in the result of a crisis, i.e. the minimum viable operation that allows an organization to continue to do business. The supporting layer of data governance allows organizations to know and categorize which data is essential, at which point in time is it essential, and the function of that data within operations. This classification and ability to know how it traverses across storage and networks is largely done through data governance, lineage, its upstream and downstream capabilities, and maintenance of the health and the quality of that data.
Data governance then helps in classifying deeper, whether something is a record or simply just data for an organization. It also assists and supplements the function of the Records Management Office by virtue of lending further how the data must be treated as a record instead of just an element of data. This must then be looked at how that helps in preventing ransomware, as well as what the knowledge of proper additional protection is being used for data that has been classified as a record and treated as such so that those data elements have better storage and backup.
On the retention schedule side, this is the decision based on the industry sector and based on legal obligations on how long a record needs to be kept by the organization. When ransomware hits, a lot of times it is kidnapping the records that should not have existed anymore and are past their expiration date. It is inefficient, inappropriate, and illegal for these organizations to keep this data past their schedule. Data governance can come in and be supportive of implementing and enforcing these guidelines so that there’s a purge at the right time and only the essential data is kept by the organization, which reduces the risk of ransomware significantly, by having several pieces in place that allow for that impact to be lessened, and ultimately leading to less suffering of the organization as a result of ransomware.
To learn more, watch our 6-part video interview with Shawn Tuma, a foremost expert in the area of cybersecurity.
Ransomware Interview: Part 1 & 2
Shawn Tuma helps businesses protect their information and protect themselves from their information. He represents a wide range of clients, from small to midsize companies to Fortune 100 companies, across the United States and globally in dealing with cybersecurity, data privacy, data breach and incident response, regulatory compliance, computer fraud-related legal issues, and cyber-related litigation.
Having practiced in this area of law since 1999, Shawn is widely recognized in cybersecurity and data privacy law. He is frequently sought out and hired by other lawyers and law firms to advise them when these issues arise in cases for their own clients.