Each area of focus of data protection contains some aspect of risk management; there’s some overlap, at times, with the two other GRC pillars. Focusing on the risk management pillar are:
- Business continuity, which aims to minimize the disruption of critical business processes
- Disaster recovery, which as a subset of business continuity, aims to minimize the impact of a disaster.
Data security has tended to focus on threats to data (such as viruses) as well as limiting access to data. Now, through data privacy initiatives, it’s also focusing on access to data and how data may properly be used; it’s in all three pillars.
Compliance is primarily the compliance pillar, but also has accountability and risk components.
eDiscovery is primarily related to the governance pillar, but also has risk and compliance implications.
Data Protection Objectives
Data should meet all six objectives of data protection for each of the three GRC pillars. The original objectives are preservation, availability, responsiveness and confidentiality, and two newer objectives are auditability and knowledge. All six apply to each distinct pool of data and for each of the three pillars of the GRC framework. Preservation of the integrity of data is the bedrock objective; failure to meet this objective means the other objectives can’t be met in one way or another. Assuming the preservation objective is met, availability and responsiveness are the usability objectives. Availability is about I/Os actually getting to the data, but responsiveness is really about performance in the sense of response time. Confidentiality is about making sure only authorized users can use the data.
These four traditional objectives of data protection have been augmented by new objectives: auditability and knowledge. Data audibility is the requirement to verify that data is always correct. That means data must be accurate, consistent, and complete. That has some implications for data preservation and the need for data quality work, too. Data audibility is critical for both compliance and eDiscovery requirements. That leads to the requirement for chain of custody to ensure the data is authentic, which means the data isn’t spoliated. The data auditability objective is an additional requirement that mainframe environments must take into account.
Data knowledge is the requirement for content awareness. An enterprise must know what data it has from a fine level of granularity. For example, PII, such as social security numbers and credit card numbers that are associated with a name, must be found before it can be managed. That data knowledge also must include where the data is. That’s important because, for example, the European Union prohibits the cross-border storage of certain types of information.
The data auditablity and data knowledge data protection objectives alone require mainframe executives to rethink what data protection requires. Failure to do so could lead to failure to meet requirements and significant economic or public exposure consequences.
When managing information in the information infrastructure, the traditional response has been to let the IT department do it. The IT department has had a major role in building the information technology infrastructure for data protection from backup/restore software to running and managing remote disaster recovery sites. And the IT department will continue to serve that vital role in data protection.
But the IT department can’t do everything. Consider, for example, the difference between data management and information management. Data management is the non-data path control and use of data, such as migration, replication, and backup and restore processes. That the IT department can do. Information management is the management of the content and relationships of information as it moves through the lifecycle of a business process. That involves the business rules and policies associated with the information; that’s a non-IT department task.
But the IT department can’t simply ask non-IT personnel to supply requirements as in an applications development project. Designing a comprehensive data protection program is a collaborative effort that involves a lot of give and take among all stakeholders as part of the overall data governance initiative. Those stakeholders include business users, domain specialists (such as Legal to determine what data can be properly deleted and what must be kept), and IT specialists (such as database administrators and information security specialists) to advise on software and hardware functional capabilities. In addition, without the ongoing and active commitment of senior management, a data governance initiative is unlikely to survive.
Enterprises need a comprehensive data protection program that’s information-centric, covers all three pillars of the GRC framework, and meets all six data protection objectives. That’s a significant workload for teams in a data governance program. We haven’t even touched on technology, but that’s a subject for another day!