Data Governance: The Key to Compliance

In a legislation-laden era, more and more organizations are falling under the mandates of governmental or industry regulation. The requirements can be complex and confusing, and it’s hard to know where to start in creating and enforcing policies that will keep your company in compliance, so many IT departments live in fear of the upcoming compliance audit. But whether your company is covered by HIPAA, GLBA, SOX, PCI DSS, FISMA or other less-known regulations, data governance is a key element in meeting the standards.

Despite this, many IT professionals and even security experts don’t have a real understanding of what data governance comprises or how to implement an effective data governance policy.  Data governance refers to the collection of established policies and procedures that govern the management of your data, both in transit and at rest, within and (in the case of cloud computing) outside of your organization’s premises. These policies should encompass usability and usage, availability and reliability, and the security and integrity of the data.

A good way to think of it is in terms of the old journalism school rule of thumb: Who, What, When, Where and How. These are the questions you need to ask when you formulate your program. A more formal definition, from the Data Governance Institute, says it this way:

“Data Governance is a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.”

A data governance program is a three-pronged system:

  • People (the governing body that establishes the policies and procedures, those tasked with implementing them, and the creators and users of the data who are impacted)
  • Policies and Procedures (the formal rules and implementation guidelines)
  • Plan (a structured means by which to execute the procedures)

The people involved include designated roles such as data custodian, data steward, and data stakeholder. Beginning at the lowest level of responsibility, the data stakeholders include any individuals or groups who are impacted by the data governance decisions, so everyone who creates or uses the data belongs in this group. Data stewards are those who either set the policies (in small organizations) or make recommendations to higher authorities in larger organizations (which may have one or more chief data stewards). Data custodians are directly responsible for the maintenance of the safety and integrity of the data when it is in transit and in storage. Data custodians have responsibility for the technical aspects of protecting the data, the “how” of implementing the policies, whereas data stewards are business-focused with responsibility for the “why” and “what” of the policies and procedures.

Data governance is all about decision-making. Before people can make decisions regarding data governance, a decision must be made regarding who has the authority to make which decisions. This is called decision rights. In regard to regulatory compliance, decisions include whether to comply (a fairly easy decision when penalties for non-compliance are involved), when to comply (how long it will take to implement full compliance), what must be done to comply (the particular requirements) and how compliance will be achieved (what changes will be made and in what order).

The policies are the rules and guidelines developed by the governing individuals or committees and address what must (or must not) be done, who is responsible for doing it and for enforcing it, where the policy applies (including exceptions), when the policy goes into effect and why the policy is needed (the purpose/goal of what the policy is designed to accomplish).  Policies should be straight forward and easy to understand, should cover as many scenarios/situations as can be anticipated, and should not conflict or overlap with one another. Policies should be distributed to all who are impacted by them.

Procedures are specific instructions on how to perform a task or process in a structured way. Each procedure should address one task. The procedural document should specify who is authorized or required to perform it, what steps are to be taken, when each step is to be taken (order of steps) and how those steps are to be performed, including specific protocols, applications, devices etc. that are to be used.

The plan is a broader-based “big picture” view of what will need to be in place to accomplish the data governance program mission, including timelines, budgets, hardware and software purchases, personnel, and so forth.

One of the most difficult parts of establishing compliance policies is the decision as to who will be accountable for compliance-related tasks. Those who are assigned responsibility must have the corresponding authority to carry out those tasks and this can get tricky in terms of internal politics and “turf wars” within an organization.  The plan should take this into account and establish clear channels of communication and a chain of command to avoid different individuals and groups duplicating effort or even working at odds with one another toward compliance goals.


Deb is a technology and security analyst, consultant and author specializing inidentity, security and cybercrime. Deb focuses on Microsoft products, and has been awarded the Microsoft MVP (Most Valuable Professional) award in the field of enterprise security for 15 years in a row.