<Insert Picture Here> The Elements of a Data Governance Program: People, Practices, Policies and Technology

Transcription

1 <Insert Picture Here> The Elements of a Data Governance Program: People, Practices, Policies and Technology Joseph Alhadeff, VP Global Public Policy, Chief Privacy Strategist, Oracle Victoria/Privacy and Security/2012

2 The Roadmap The next frontier The Issues/Lessons of TAS 3 The accountable organization/governance, Canadian Style Focus on Technology in support of Compliance The Whole is greater than the sum of the parts

3 Global Data Flows/Big Data The Digital Economy and Information Society have enabled business to distribute functions across geographies (payment processing, credit verification, customer service, support, data centers, follow-the-sun service models) New services are driving even more increased information flows and customers may enter the system across multiple channels/devices, from many jurisdictions, and in multiple roles Consumers as content creators, application developers and publishers Big Data Big Brother OR something really cool and marvelous that happens when you get enough data together (Jeff Jonas) The new continuum Raw data, context, correlation, analytics, actionable information learning and responsible information management over the data lifecycle

4 Continuum: Individual, System, and Ecosystem

5 Privacy question across the generations 2001 HAL: Where is my information? Who controls it? Who has access? How is being used? Who is it being shared with? Who is looking out for my interests? 2012 LIZ* : Do you have an accountable privacy program Organizational policies, practices, technology components Ecosystem? Measurement Continuous improvement *Questions are pan-canadian

6 The Story Addressing today's security and privacy challenges can be summarized as getting the right data to the right people at the right time. Security and privacy challenges can also be summarized as preventing unauthorized access throughout the data lifecycle. This implies simplifying access for the right people while making access by the wrong people cumbersome, expensive and easily detected. Success in this endeavor depends on a combination of people, processes and technology. Technology is designed to facilitate authorized access in a repeatable and auditable fashion, and the systems themselves can be designed to promote data governance in a way that enhances accountability for the organizations that build and manage them. Sun Technical White Paper, Engineering for Data Protection and Accountability, May 2007,

7 Stop looking for the Silver Bullet. Accountability and Governance Policies Procedures Contracts Compliance Technology- Systems Architecture Privacy by Design People Thomas Richard, Data Protection in the European Union, Promising Themes for Reform, European Privacy and data Protection Commissioners Conference, Edinburgh, 24 April

8 Trusted Architecture for Securely Shared Services FP7 Project The collaborative and interactive development of technology, law and policy in support of privacy, security and trust. Technology assures the first hop, law and policy fill ecosystem and value chain gaps

9 Trusted Architecture for Securely Shared Services TAS 3 Contractual and Governance Framework FP7 Project The collaborative and interactive development of technology, law and policy in support of privacy, security and trust. Technology assures the first hop, law and policy fill ecosystem and value chain gaps

10 Benefits of a Coordinated Approach Policies Sticky Policies Technology Legal Requirements Data Hubs, HR, Health Care all facets are relying on information from multiple sources Better understand controls, policies, reliability and requirements related to shared information Clarity of use and security models Source and integrity issues Developing trust to enable sharing

11 Risk Management: Accountable Privacy, Policy and Legal processes User interface Effective preference/profile management as opposed to numbing micromanagement Legal Chain of accountability Individual, system and ecosystem T s and C s Uses privacy limits Security levels, technology Jurisdiction Applicable law Business Need Why is an Essential Driver How is the way you comply Organizational Competence Program organization, oversight and buy in Staffing/resources Practices & Policies Credible response Evaluation and measurement Training, testing and oversight Continuous improvement

12 New Governance Paradigm Responsible Information Management Stewardship of information Transparency Controls Proof/Audit/Testing Information Lifecycle Training Learning Organization Oversight Compliance Incident management Disaster recovery

13 Privacy by Design Not Always Apparent Understand the role of system and ecosystem Privacy also has to be designed into processes and inculcated into people Privacy is a team sport Privacy as enabler not barrier Every compliance requirement is an opportunity

14 Compliance As Opportunity (PIA ) Privacy and security requirements often make you generate system information, review and test controls and develop methods of oversight and reporting How can you use the new information generated How can you better understand your system through analyzing controls and how they work How much will this improve security How can this help you understand your overhead and efficiency to make you more effective Make the reports useful to you as well as oversight function When is less actually more?

15 The Opportunity: 1+1= 3 The new math is not a zero sum game Security and Privacy need to be considered together as mutually reinforcing and can be optimized together. Security and privacy regulation is overlapping in jurisdiction and impact Security and privacy professionals don t always know how to interact or speak the same language New compliance solution for each problem makes no sense 70-80% common solution

16 Compliance Methodology Outline the rule(s) Identify and assemble the team Identify / classify the information Map the information and flows Broad understanding of the technology possibilities Develop polices, practices and procedures Identify needed controls and possible control points Optimize the processes Implement the technology

17 Technology in support of compliance; IDM Canada, Leading by example Pan Canadian Strategy for IDM and Authentication BC claims based IDM Leveraging identity Getting to critical mass SecureKey/FS orgs Federating Credentials eventually Identity What level of trust in the credential, required for the service The New Chokhani/Ford Straw man?? Authenticating the individual to the system and transaction

18 Allocating rights and responsibilities beyond authentication Governance beyond the first hop Once authenticated, how do you associate rights and priviledges Who controls those decisions Are they Application specific How do you accomplish this across domains How do you build in challenges and safeguards? Oversight, audit and investigatory needs???

19 Oracle Solution Flavours Data Masking Identity Analytics Identity Federation Transient Federation Account mapping/linking Attribute Federation Adaptive Access Manager Risk based access control multi factor authentication proactive real-time fraud prevention Entitlements server Apps level security management Policy information/decision Points

20 Questions

21