While some cybersecurity teams may be anxious to get involved with master data management (MDM), there are prerequisites that we strongly recommend be in place prior to starting down the implementation path. Having a well-defined software development life cycle (SDLC) in place is important. Even more important is that adherence to the SDLC be institutionalized. Tied into this is the architecture review board, which should be reviewing all significant changes or new implementations of data, systems, technology, etc. These 2 processes should be addressed in the information security policy and, where applicable, the data governance policy.
With these building blocks in place, the following steps will get you started mapping a data protection plan that can be outlined in a governance standard document and referenced in your company’s information security policy and data governance policy:
- Step 1—Identify and document data owners for governance decisions. Ask the business to identify who can make decisions regarding data retention, data destruction, data classification, disaster recovery and business continuity planning.
- Step 2—Validate with the IT team their responsibilities for providing the hardware, operating systems, software patching, maintenance and systems support. Follow this by asking what disaster recovery plans are in place. If there is a discrepancy between disaster recovery needs and documented disaster recovery plans, bring the business and IT teams together to resolve and record the details. The same goes for any associated business continuity plans.
- Step 3—Develop a detailed document regarding the standards and procedures for access control, logging and monitoring, privileged access management, and compliance guidelines for backup data retention and any other relevant processes. It is an imperative that the cybersecurity team holds a seat on the architecture review board to ensure the identification of sensitive or protected data and to recommend the appropriate protection level.
- Step 4—With the appropriate cybersecurity training, authorize the MDM staff to act as cybersecurity deputies owning the guardianship of data sources, data access and data egress. The MDM team also needs to maintain the data map that documents MDM data storage and flows.
- Step 5—Institute quarterly meetings between the cybersecurity team and the MDM team to review the configurations of all related data tools ensuring access is appropriately assigned.
- Step 6—Of great importance, user access reviews should be instituted for all data flows. This is typically done by performing quarterly access reviews for the applications that interact with MDM. We suggest assigning this task to each application team. Then turn it over to internal audit team for their review.
- Step 7—In organizations where data loss prevention (DLP) software can be funded, we recommend its implementation because it adds real-time, preventative control for keeping data secure.
In the process of implementing the previous list, the cybersecurity team should perform the governance role of defining the levels of security for each data type based on its classification (e.g., public, confidential and restricted).
Ensure that your classification names align with your company’s documented management terms and that they are congruent with the corporate document management definitions.
It is important to outline which data require encryption during transmission, what data require encryption at rest and what data requirements apply if the data are transmitted to a 3rd party. Within this guidance, cybersecurity also sets the standards for compliance, which should include considerations for Payment Card Industry Data Security Standard, General Data Protection Regulation, personally identifiable information, the Health Insurance Portability and Accountability Act, etc.
Read Sonja Hammond and Chip Jarnagin’s recent Journal article:
“Cybersecurity vs. Master Data Management,” ISACA Journal, volume 3, 2018.