This article discusses the need for inclusion of information governance in assessing the risk associated with implementing a data security framework such as the NIST Framework
for Improving Critical Infrastructure Cybersecurity, and its role in the program resulting from implementation of the
framework. Strong information governance is a necessary
component of a comprehensive data security program, and
omitting it from the program incurs significant risk and reduces the effectiveness of the program.
Data security incidents are becoming increasingly common—and costly—and organizations are
spending increasing amounts of money and resources to combat them. The scope of the risk is likewise increasing. In the European Union very substantial penalties
for data breaches are now being levied under the data privacy
rubric (a data breach involving PII being by definition a privacy violation),1
and data security is increasingly a regulatory compliance matter as administrative agencies promulgate
regulations addressing it, with all the usual fines and other
penalties for non-compliance.2
In response, the security armory becomes ever more well-stocked with increasingly sophisticated tools. But often overlooked are the basic tools of
information governance.
This can be a costly oversight. Data breaches and other data
loss can often be traced back to poor information governance
practices, and even when poor governance is not the primary cause, it often makes the consequences of a data security
incident worse than they might otherwise have been.