Data is constantly at risk.
With the proliferation of sensitive data breaches – and the consequences for those who were entrusted with the data – it is becoming clear that data can also represent risk. How do we deal with risk? We manage it, preferably by preventing the events that we don’t want to occur. Those we can’t be sure of preventing, we at least detect, so we can then correct the problem.
How are risk management strategies made operational? Through controls. Controls can be preventative or detective/corrective. They can be automated, manual, or technology-enabled manual processes.
Often the Data Governance program is asked to recommend data-related controls that could be applied at multiple levels of the controls stack (network / operating system; database; application; user processes) to support governance goals. Data Governance may also be asked to recommend ways that existing general controls (Change Management, policies, training, SDLCs and Project Management, etc.) could be modified to support governance goals or enterprise goals.
Sometimes Data Governance is asked to assist with internal or external audits by explaining how different data-related controls build upon each other.