I’m out in Boston for the SOURCE conference where Hoff and I just presented on Disruptive Innovation and the Future of Security. It went well, but we’re only giving ourselves a 6 out of 10. We tried to stuff in too much content and didn’t focus as much as we should. We’ve already mapped out the next version and I wish we were giving it before June (our next scheduled show).
One thing I noticed during our discussion of my section on the Information-Centric Security Lifecycle is that we’ve failed to talk about data governance. Since, thanks to Chris, I’ve become convinced that information is data with value, we’ll skip data governance and jump right into information governance.
Consistent with my last short post, here are a few points on principles for information governance:
- The business, not IT or security, must determine the relative value of information.
- Information classification must represent the value of the information.
- Business and technical policies and controls must align with the information value/classification.
- Information governance must be consistent, practical, and auditable.
- The Board of Directors and executives are responsible and accountable for information governance, which is then implemented by business units (including IT).
- Information governance should not be so detailed it can’t account for new information or accurately reflect the reality of a business in motion.
These aren’t quite as thought out as the Principles of Information-Centric Security, but I think they are a fairly reasonable place to start the discussion. Also keep in mind that I’m not talking about in-depth, impractical classification of every piece of data in an organization. This is about broad strokes to guide users in understanding what information has value over other information, and how that information should then be handled.
You’ll also notice I didn’t mention security. Not once. Security is only one tool in the governance kit.
<
p style=”text-align:right;font-size:10px;”>Technorati Tags: Data security, Governance, Information Governance, Information-centric security, Information Security
Reader interactions
10 Replies to “Quick Note From SOURCE: Information Governance”
Securosis Filed in Media Coverage
@rmogull
Rich – now I’‘m really confused.
Let’s take some of your points in turn…
“I’ve been talking to a lot of people at all levels of the industry … nearly all of them agree that Information Security is mostly all about network and host security.”
Wow, wow, wow – surely not? Since when?
I’‘ve been in this game for not that long compared with many people who both read and post here – six years or so but for me, information security has *never* been solely about ‘‘tin’’ and technology. Even in my earlier dabblings with the security cow, it was always been about the protection of information. This viewpoint is backed up by certifications and standards – CISSP (Common Body of Knowledge/Domains of Information Security) and ISO27001/ISO27002 (Code of Practice for Information Security) to name but two. And anyway, what about people in relation to information security? Lets face it – people are usually the problem, doesn’‘t matter what you do with technology a lot of the time…
“Go into any organization and ask to see their frameworks/policies for protecting the information at the data level.”
You’‘ll see a risk management framework in many together with a senior management endorsed policy framework – honest! It’s all about the data… determining who owns it, classifying it, determining controls and so forth. *This* is all information security-related work – granted, parts of it are not done by information security bods but it all comes under the mantle of ‘‘information security’‘. I fail to see how ‘‘information governance’’ helps here except to confuse… Information security *is* already ‘‘data-centric’‘…
“…we’ve lost control of the term Information Security.”
How have we? Can you provide some examples? If this really is the case, then surely we should attempt to reclaim it? How does inventing new terms like ‘‘Information Governance’’ help here except to confuse further? (In my experience, the term ‘‘Information Governance’’ doesn’‘t help – most people don’‘t know what it is and *no-one* has yet come up with a credible definition or even specify what the boundaries of it are.)
I refer to my earlier comment – Google the definition of ‘‘Information Governance’‘…?! A wealth of information awaits.. 😉
“The governance term is ONLY to make the point that security is driven by the business, and it isn’t our job to decide what information is more valuable than the rest.”
Hasn’‘t it always been the case that information security is driven by the business? In any organisation where either the information security function or IT function even is making decisions about the value of the information they protect or are custodians of, then something within the organisation is seriously broken… this is not a reality I am aware of… have I been spoilt or something in the organisations I have worked for?
Sorry for the rant, but I don’‘t see that the term ‘‘information governance’’ helps at all. No proper definition of it exists, the boundaries of its existence are not properly scoped and in any case, we already have an area of work which encompasses the identification of ownership of information, the classification of information and the subsequent risk management and control of that information. It’s called ‘‘information security’’ and I hope that its here to stay.
Last post, I promise…
When you use terms like information-centric or information governance to reestablish what I think we all agree are core infosec competency areas as such, I think you dilute it instead by creating the perception that these are in fact new areas. To say that “eventually the term will fade away” only highlights that the term isn’‘t needed.
I’‘ll hush now.
I’‘m glad you got that out of your system. I used that extreme example to make the point that I feel people like Rich and Hoff are not creating new fields of security, but simply sharply honing the focus towards protecting the contents (the data), not the containers (the infrastructure). While I suspected your experience was very deep, my observation is that the vast majority still do not get it. Perhaps some semantic discussion is necessary to get everyone on the same page, but ultimately you are right; let’s get on with it.
I am with a vendor that offers access and audit control at the individual file level for authorized users in the form of scalable MLS. It is amazing how many security people have told me that it is “too much security” for business. Yet, when I see that companies are about to invest large amounts of money in NAC, when endpoint devices serve only as the most basic of proxies for users. Where does NAC answer the question who is accessing what information and what are they doing with it? More network security that avoids solving the right business problem.
>>
The term information security itself has really only been a grab-bag misnomer term for something that really boils down to only network security, at least in the commercial space.
<< I just threw up on my keyboard. In what world is this true? Never one that I’‘ve worked in. Not sure you care, but my background includes work in the ISP space with AT&T, the DoD/federal space, 3 years at Symantec and several years as an ISO. Sure, network security is part of it, and is relatively easy. But a rounded program also includes considerations for the security of hosts and applications (especially applications!). All of which, by the way, exist only to provide access to and utilization of information, be that a game server or the next big data warehouse. Remember, infrastructure exists only where information is present. So yes, protecting infrastructure does equal protecting information, but in a relatively unsophisticated way. Things like DRM have been around for years and years, but they’‘ve just sucked. Since day 1 the security industry has been about protecting information, we’‘ve just done it in the most pragmatic way we could. Was there a focus on the firewall? Sure, but only in the context of protecting the information behind it in as efficient manner as was possible at the time. Lets stop changing history in order to make us look prescient in the present.
You both seem to agree that information governance as a concept has always been part of information security. The term information security itself has really only been a grab-bag misnomer term for something that really boils down to only network security, at least in the commercial space. Protecting infrastructure is not the same thing as protecting information so it may be a matter of renewed, or perhaps long overdue emphasis and focus on this concept.
As Larry Ponomon pointed out in his last Dark Reading report, “Too Much Access” information governance generally exists in practice as a concept only, and is still extremely poorly understood, or enforced by corporate management today.
Hmmm… so I guess we agree then 🙂 Information Governance as a concept brings nothing new to the party except to confuse and befuddle…
And fortunately for Rich, he didn’‘t invent it. Someone else did that though for the life of me, I fail to understand why…
My lack of typing and spelling ability will be my demise.
I guess what I am saddened by is what I see as some sort of need for the writer of this blog to create new fields of security by recasting and renaming existing concepts. I see nothing new or interesting in the concept posited here as “information governance”… it is in line with decades of security thinking. Business defines value, we classify it as such, and protected as warranted by that definition.
I’‘m spoiled, but I expect more from the author, and that’s why I enjoy this blog so much. The database stuff and the DLP insight are great. This? Not so much.
I’‘m going to go work on defining my connection-centric packet interception device. You’‘ll all love it.
@ds
You must live in a parallel universe then. I’‘ve been talking to a lot of people at all levels of the industry about this the past few years and nearly all of them agree that Information Security is mostly all about network and host security. That may not be how it reads in the Orange Book (which was focused more on the information) but everything since Code Red and Melissa has pretty much ignored the information part.
I’‘m not changing history or recasting existing concepts. Go into any organization and ask to see their frameworks/policies for protecting the information at the data level.
We almost never talk about the information part of information security.
I was at a dinner last night with some reasonably well known industry types. After reading this comment, I decided to ask what they thought. The unanimous feedback was that I need to keep using the term Information-Centric (or data security, or… anything) since we’‘ve lost control of the term Information Security.
A large percentage of what I talk about on this site is how we protect information after we’‘ve finished with the network, host, and applications. Information-centric is what I’‘m using for now, and eventually the term will fade away. Your own posts only reinforce the need to discuss the information level controls differently than net/host/app controls.
The governance term is ONLY to make the point that security is driven by the business, and it isn’‘t our job to decide what information is more valuable than the rest. But outside of DoD/Intel and some financial services, security often has to make those value decisions, since the business units all claim they’‘re the most important, and exec management doesn’‘t mediate.
I’‘m not prescient or psychic, but there are only a handful of people in our industry working on models and frameworks at the information layer. If all I do is tell you about DLP, encryption, and DB security without showing how to properly layer and connect those controls/technologies, I’‘m not contributing anything to the industry.
Don’‘t worry, I’‘ll still keep up with the technology posts, and feel free to skip the framework posts if you already read it all in the CBK, Orange Book, or other historical source.
@-ds-centric,
There is no contradiction in any ‘‘parahraph’’ (sic) in my comments above. However, I may not have explained myself very well so let me try again:
As I see it, there is an arbitrary and somewhat pointless separation of use of/definition of/matters relating to privacy of information into a separate area known as Information Governance. This area used to belong to Information Security.
The business has always had to drive information policy/classification and so forth. Nothing has changed in this respect. Except, this is now done in conjunction with the Information Governance department in those organisations which have adopted the ‘‘information governance’’ white elephant.
Where the problem lies is that some folk see Information Governance as encompassing all of Information Security. In fact, they define Information Governance *as* Information Security. This is blatantly not the case. Information Governance does not define security standards or security principles nor does it specify appropriate security controls. It has nothing to do with the technical aspects of security at all.
This is what I meant by stating that Information Governance is *not* Information Security.
I leave you with this piece of somewhat interesting information. Just try typing in “define: information governance” into Google and see what is returned – yup – nothing. Now, I wonder why that is? 😉