数据安全持续治理_数据治理对于网络安全至关重要

数据安全持续治理

Cyber security is getting a lot of publicity in recent years. Ever-more sophisticated cyberattacks involving malware, cross-site scripting, denial of service and other attacks have placed organisations big and small at constant risk. Even unsophisticated attacks like phishing have continued to advance and evolve over the past few years, and cause organisations problems on a daily basis. In January 2019, Australia’s Parliament House was compromised by one simple click of a mouse and punched a digital hole in what should have been one of the country’s most secure Information Technology (IT) systems.[i]

çyber安全性得到了很多宣传在最近几年。 涉及恶意软件，跨站点脚本，拒绝服务和其他攻击的日益复杂的网络攻击使大型企业和小型企业面临持续的风险。 在过去的几年中，甚至网络钓鱼之类的简单攻击都在继续发展和演变，并每天导致组织出现问题。 2019年1月，只需点击一下鼠标，澳大利亚的国会大厦便受到损害，并在本来应该是澳大利亚最安全的信息技术(IT)系统之一上打了一个数字Kong。 [一世]

As concerns about cyber threats have grown, businesses are making greater investments in developing business continuity plans in the event of a cyber-attack and purchasing cyber insurance policies. Worldwide spending on cyber security is forecasted to reach $133.7 billion in 2022[ii].

随着人们对网络威胁的关注日益增加，在发生网络攻击和购买网络保险单的情况下，企业将加大投资以制定业务连续性计划。 到2022年，全球网络安全支出预计将达到1337亿美元[ii] 。

An increasing number of organisations have invested in incident response capabilities. Organisations have a number of individuals dedicated to analysing traffic flows and monitoring for cyber-attacks. These types of roles have proven to be effective in many situations, as it can minimise downtime, increase customer trust, consequently yielding financial advantages. They are often intimately involved with IT application and infrastructure teams to inform the type of security controls necessary to keep the organisation safe from cyber threats.

越来越多的组织已对事件响应功能进行了投资。 组织中有许多人致力于分析流量和监视网络攻击。 事实证明，这些类型的角色在许多情况下都是有效的，因为它可以最大程度地减少停机时间，提高客户信任度，从而产生财务优势。 他们通常与IT应用程序和基础架构团队密切联系，以告知必要的安全控制类型，以使组织免受网络威胁的侵害。

In recent years, we have seen a shift in security investments from threat prevention to threat detection. This requires an investment in security operations centres (SOCs) as the complexity and frequency of security alerts grow. According to Gartner, by 2022, 50 percent of all SOCs will transform into modern SOCs with integrated incident response, threat intelligence and threat-hunting capabilities, up from less than 10 percent in 2015.[iii]

近年来，我们已经看到安全投资已从威胁预防转向威胁检测。 随着安全警报的复杂性和频率的增加，这需要对安全运营中心(SOC)进行投资。 据Gartner称，到2022年，所有SOC的50％将转变为具有集成事件响应，威胁情报和威胁搜寻功能的现代SOC，而2015年不到10％。 [iii]

But in many organisations, there are still some fundamental questions unanswered. Questions such as:

但是在许多组织中，仍然存在一些未解决的基本问题。 问题如：

• What are we ultimately protecting?
  我们最终要保护什么？
• When have we applied enough security controls?
  我们什么时候应用了足够的安全控制？
• Who should be accountable and/or responsible?
  谁应该负责和/或负责？

了解网络安全 (Understanding cyber security)

To answer these questions, it is important to understand what cyber security is. Cyber security refers to a set of techniques used to protect the integrity of an organisation’s security architecture and safeguard its data against attack, damage or unauthorised access.[iv] At its core, cyber security involves protecting data from cyber threats.

要回答这些问题，重要的是要了解什么是网络安全。 网络安全是指用于保护组织安全体系结构的完整性并保护其数据免受攻击，破坏或未经授权的访问的一组技术。 [iv]网络安全的核心是保护数据不受网络威胁。

Data is a valuable resource. According to The Economist, the world’s most valuable resource is no longer oil, but data[v]. Therefore, it would only make sense that the minimum security requirements are informed by the type of data that needs to be protected. That determination is commonly made by performing a risk assessment and looking at the confidentiality, integrity and availability, also known as the CIA triad. The CIA triad considerations are outlined below.

数据是宝贵的资源。 根据《经济学人》，世界上最有价值的资源不再是石油，而是数据[v] 。 因此，仅通过需要保护的数据类型来告知最低安全要求是有意义的。 通常通过执行风险评估并查看机密性，完整性和可用性(也称为CIA三合一)来做出确定。 CIA的三合会注意事项概述如下。

• Data Confidentiality — Ensure the data is only accessible to authorised consumers. Consider the risks associated with unauthorised or inappropriate disclosure of the data.

  数据机密性 -确保只有授权的使用者才能访问数据。 考虑与未经授权或不当披露数据有关的风险。

• Data Integrity — Ensure the quality, completeness and accuracy of the data. Consider the risks associated with changes to the data.

  数据完整性 —确保数据的质量，完整性和准确性。 考虑与数据更改相关的风险。

• Data Availability — Ensure the data is available in the right format when it is needed. Consider the risks associated with data not being available or accessible.

  数据可用性 —确保在需要时以正确的格式提供数据。 考虑与数据不可用或不可访问相关的风险。

数据责任 (Accountability for data)

What happens more often than not, is that an organisation’s IT department, responsible for the management and maintenance of information systems, are also expected to determine the above CIA criteria specific to data and to implement what they deem to be appropriate safeguards. This is often a sign that the roles and responsibilities for data within an organisation are not well understood. In most circumstances, the business subject matter experts are in a better position to answer the questions in relation to the confidentiality, integrity and availability requirements for the data.

通常会发生的是，组织的IT部门负责信息系统的管理和维护，还应确定上述特定于CIA的数据标准，并实施他们认为适当的保护措施。 这通常表明没有很好地了解组织中数据的角色和职责。 在大多数情况下，业务主题专家可以更好地回答与数据的机密性，完整性和可用性要求有关的问题。

Data governance can help with this. Clearly defined decision rights across an organisation is a key enabler of good data governance to support efficient decision making regarding the management of data through its lifecycle. Data governance roles and responsibilities exist to champion the vision for data management, build a data aware culture and ensure the right data is leveraged to achieve value across the organisation. The recommended governance roles and responsibilities crucial to the overall collection, management and use of data are listed below.

数据治理可以对此提供帮助。 整个组织中明确定义的决策权是良好数据治理的关键推动力，以支持在整个生命周期内进行有关数据管理的有效决策。 数据治理角色和职责的存在是为了捍卫数据管理的远见，建立数据意识的文化并确保利用正确的数据在整个组织中实现价值。 建议的治理角色和职责对数据的整体收集，管理和使用至关重要。

• Data Owner — has enterprise level authority and accountability under legislation for the collection and management of the organisations’ data.

  数据所有者 -根据法规具有企业级权限和问责制，用于组织数据的收集和管理。

  There can only be one Data Owner and this is most commonly the head of an organisation such as the CEO.

  只能有一个数据所有者，通常是首席执行官等组织的负责人。

• Data Domain Custodian — is responsible for defining and implementing safeguards to ensure the protection of data. This must be done in accordance with the policies, procedures and rules approved by the Data Owner.

  Data Domain托管人 -负责定义和实施保护措施以确保对数据的保护。 必须按照数据所有者批准的政策，程序和规则进行。

  There can be multiple Data Custodians within an organisation, but only one Data Custodian can be assigned to a single ‘data domain’. Examples of data custodians and domains are; Chief Financial Officer for finance data, Chief Human Resources Officer for human resources data, Chief Marketing Officer for marketing data, Head of Research and Development for research data etc.

  一个组织内可以有多个数据托管人，但只能将一个数据托管人分配给单个“数据域”。 数据保管人和域的示例是； 财务数据首席财务官，人力资源数据首席人力资源官，营销数据首席营销官，研究数据研发总监等。

• Data Steward — is responsible for the quality, integrity and use of datasets on a day-to-day basis. A Data Steward may manage multiple datasets. They are responsible for applying relevant policies, procedures and rules, including applying information security classifications and safeguarding the data from unauthorised access and abuse.

  数据管理员 -负责日常数据集的质量，完整性和使用。 数据管理员可以管理多个数据集。 他们负责应用相关的政策，程序和规则，包括应用信息安全分类并保护数据免遭未经授权的访问和滥用。

  There can be multiple Data Stewards within an organisation, but only one Data Steward can be assigned to a single ‘data sub-domain’. Taking the finance domain as an example, the sub-domains could be; budgeting data, forecast data, invoice data etc.

  一个组织内可以有多个Data Steward，但只能将一个Data Steward分配给单个“数据子域”。 以金融领域为例，子领域可以是： 预算数据，预测数据，发票数据等

• Information Technology Service Providers — provide support to embed and implement governance controls and processes. This group includes the technical teams that provide system support and manage access to data including information systems.

  信息技术服务提供商 -为嵌入和实施治理控制和流程提供支持。 该小组包括提供系统支持并管理对包括信息系统在内的数据访问的技术团队。

网络安全五知 (Five knows of cyber security)

Both data security and data governance share one common objective; protecting the organisation's data. Data Governance is a fundamental part of security. It ensures that the right people have the right access, whilst data security makes sure that enterprise data is safeguarded.

数据安全和数据治理都具有一个共同的目标。 保护组织的数据。 数据治理是安全性的基本组成部分。 它确保合适的人员具有正确的访问权限，而数据安全性则确保企业数据得到保护。

The five knows of cyber security[vi], developed by former Chief Security Officer; Mike Burgess from Telstra, addresses five key questions that each organisation should be able to answer in relation to its data.

由前首席安全官开发的五种网络安全知识[vi] ； 来自Telstra的Mike Burgess解决了每个组织应能够针对其数据回答的五个关键问题。

1. Do you know the value of your data?
   您知道数据的价值吗？
2. Do you know who has access to your data?
   您知道谁有权访问您的数据吗？
3. Do you know where your data is located?
   你知道你的数据在哪里吗？
4. Do you know who is protecting your data?
   您知道谁在保护您的数据吗？
5. Do you know how well your data is protected?
   您知道您的数据受到保护的程度如何吗？

The questions above highlight the fact that data is central to cyber security. Data governance enables an organisation to answer these questions and therefore becomes central to effective cyber security controls.

上面的问题凸显了数据对于网络安全至关重要的事实。 数据治理使组织能够回答这些问题，因此成为有效网络安全控制的核心。

The five knows of cyber security represents a significant shift in focus — from a technology discussion to one where senior management can engage in and contribute to the effective management of cyber security risk.

对网络安全的五种了解代表着重点的重大转变-从技术讨论到高级管理人员可以参与并有助于有效管理网络安全风险的讨论。

Although less about cyber security and more about data governance, The University of Queensland (UQ) has added one additional question to the list above as part of their Enterprise Data Governance Program. They included; ‘Do you know the quality of your data?’ This relates to data integrity, but is not always a security related concern.

尽管对网络安全的关注较少，而对数据治理的关注更多，但昆士兰大学(UQ)在上述清单中又增加了一个问题，作为其企业数据治理计划的一部分。 他们包括； “您知道数据的质量吗？” 这涉及数据完整性，但并不总是与安全相关。

信息安全分类 (Information security classification)

Based on the confidentiality, integrity and availability requirements, a better understanding can be gained on the sensitivity and risk associated with a dataset. Based on that understanding, an information security classification can be assigned.

根据机密性，完整性和可用性要求，可以更好地了解与数据集相关的敏感性和风险。 基于该理解，可以分配信息安全分类。

For instance:

例如：

• Data published on an organisation’s website outlining product and service information is classified as ‘public’ data.
  在组织网站上发布的概述产品和服务信息的数据被归类为“公共”数据。
• Data about the organisation's employees, which includes personally identifiable information (PII), is most likely classified as ‘sensitive’ data.
  有关组织员工的数据(包括个人身份信息(PII))很可能被归类为“敏感”数据。
• Data about a research project involving national security is most likely classified as ‘protected’ or ‘top secret’ data.
  有关涉及国家安全的研究项目的数据很可能被归类为“受保护”或“最高机密”数据。

Understanding the information security classification of an organisation’s datasets is critical to informing cyber security controls. Controls can be categorised in a number of ways. For example, for sensitive datasets the following security controls might apply:

了解组织数据集的信息安全分类对于通知网络安全控制至关重要。 控件可以通过多种方式进行分类。 例如，对于敏感数据集，以下安全控制可能适用：

• Enterprise-wide governance controls and processes- A Data Steward must be assigned to each dataset

  企业范围的治理控制和流程 -必须为每个数据集分配一个数据管理员

  - A Data Steward must authorise access before access to a dataset is granted

  -数据管理员必须在授予对数据集的访问权限之前授权访问

• Security and access controls- Users must be vetted before gaining access to the data

  安全和访问控制-必须先审核用户，然后才能访问数据

  - Multi-factor authentication must be used to gain access to the data

  -必须使用多因素身份验证来访问数据

• Storage and infrastructure controls- Storage solution must have data encryption capabilities

  存储和基础架构控制-存储解决方案必须具有数据加密功能

  - Data must be stored on infrastructure that is onshore

  -数据必须存储在岸上的基础架构上

Data Stewards are the subject matter experts when it comes to the data and the associated values and risks. They have a better understanding of who should have access to the data (confidentiality), understand risks of data not being accurate (integrity) and any impact associated with the data not being available (availability).

当涉及数据以及相关的价值和风险时，数据管家是主题专家。 他们对谁应该访问数据有更好的了解(机密性)，了解数据不准确的风险(完整性)以及与数据不可用相关的任何影响(可用性)。

Although it is sensible that Information Technology Service Providers provide input to security controls, it should ultimately be Data Custodians and/or Data Steward who make the final decision. Some notable reasons for this include that security controls come with an associated cost and may impact user experience. The business must ultimately own the decision to accept or mitigate business risk and decide how much it wants to invest in protecting its datasets.

尽管明智的做法是由信息技术服务提供商为安全控制提供输入，但最终应该由数据托管人和/或数据管家做出最终决定。 造成这种情况的一些显着原因包括安全控制会带来相关成本，并可能影响用户体验。 企业必须最终拥有接受或减轻业务风险的决定，并决定要投资多少来保护其数据集。

结论 (Conclusion)

Data governance is essential to cyber security. In order to protect against threats, organisations need to know what data to protect and how best to protect it. Data governance allows an organisation to identify its high value, high-risk datasets and allocate additional resources to protecting the data if necessary.

数据治理对于网络安全至关重要。 为了防御威胁，组织需要知道要保护哪些数据以及如何最好地保护数据。 数据治理使组织能够识别其高价值，高风险的数据集，并在必要时分配更多资源来保护数据。

Note: This article was written to highlight the relationship between data governance and cyber security. The article has left out some other important aspects of data governance such as policies, metadata, master data, data literacy etc.

注意：本文旨在强调数据治理与网络安全之间的关系。 本文忽略了数据治理的其他一些重要方面，例如策略，元数据，主数据，数据素养等。

[i] https://www.abc.net.au/news/2019-11-15/cyber-attack-thwarted-on-parliament-house/11706444

[i] https://www.abc.net.au/news/2019-11-15/cyber-attack-thwarted-on-parliament-house/11706444

[ii] https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019

[ii] https://www.gartner.com/cn/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to-exceed-124-billion-in-2019

[iii] https://www.gartner.com/en/newsroom/press-releases/2019-03-05-gartner-identifies-the-top-seven-security-and-risk-ma

[iii] https://www.gartner.com/cn/newsroom/press-releases/2019-03-05-gartner-identified-the-top-seven-security-and-risk-ma

[iv] https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-security

[iv] https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-security

[v] https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data

[v] https://www.economist.com/leaders/2017/05/06/the-worlds-most-valuable-resource-is-no-longer-oil-but-data

[vi] https://www.telstra.com.au/content/dam/tcom/business-enterprise/security-services/pdf/5-knows-of-cyber-security.pdf

[vi] https://www.telstra.com.au/content/dam/tcom/business-enterprise/security-services/pdf/5-knows-of-cyber-security.pdf

翻译自: https://medium.com/swlh/data-governance-is-essential-to-cyber-security-4b179b3fb3f

数据安全持续治理