Part 1 Section F.2. Data Governance データガバナンス

データガバナンスの定義

Data governance encompasses the practices, procedures, processes, methods, technologies, and activities that deal with the overall management of the data assets and data flows within an organization.

  • Data availability
  • Data usability
  • Data integrity
  • Data security
  • Data privacy
  • Data integration
  • System availability
  • System maintenance
  • Compliance with regulations
  • Determination of roles and responsibilities of managers and employees
  • Data flows

IT Governance and Control Framework

Internal Control – Integrated Framework by COSO

The internal control system should consist of the following five interrelated components.

  1. The control environment
  2. Risk assessment
  3. Control activities
  4. Information and communication
  5. Monitoring

COBIT® by ISACA

ISACA

Information Systems Audit and Control Association

現在は、広く情報システム全般に関して取り扱っているため、単に ISACA として知られている。

COBIT

Control OBjectives for Information and Related Technology

Governance is usually the responsibility of the board of directors under the leadership of the chair of the board of directors.

Management is usually the responsibility of the executive management under the chief executive officer’s (CEO’s) leadership.

Governance System
  • Process
  • Organization structures
  • Principles, policies, and frameworks
  • Information
  • Culture, ethics, and behavior
  • People, skills, and competencies
  • Services, infrastructure, and applications
Governance and Management Objectives
  • Governance Objectives
    • EDM – Evaluate, Direct and Monitor
  • Management Objectives
    • APO – Align, Plan, and Organize
    • BAI – Build, Acquire, and Implement
    • DSS – Deliver, Service, and Support
    • MEA – Monitor, Evaluate, and Assess
Design Factors for a Governance System
  1. Enterprise strategy
  2. Enterprise goals
  3. Risk profile
  4. IT – related issues
  5. Threat landscape
  6. Compliance requirements
  7. Role of IT
    • Support
    • Factory
    • Turnaround
    • Strategic
  8. Sourcing model for IT
  9. IT implementation methods
    • Agile
      • Individuals and interactions
      • Working software
      • Customer collaboration
      • Responding to change
    • DepOps -Development and operations 開発と運用をワンチームで!
    • Traditional
    • Hybrid, or bimodal IT
  10. Technology strategy
    • First mover
    • Follower
    • Slow adopter
  11. Enterprise size
Goals Cascade
  • Stakeholder Drivers and Needs
    • Enterprise Goals
      • Alignment Goals
        • Governance and Management Objectives
Capability Level
LevelGeneral CharacteristicsNotes
0lack of any basic capability; incomplete approach to address
government and management purpose; may or may not be
meeting the intent of any Process practices.
基本的能力の欠如
1The process more or less achieves its purpose though the
application of an incomplete set of activities that can be
characterized as performed.
何だか分からない
けれど目的達成
2The process achieves its purpose through the application
of a basic, yet complete, set of activities that can be
characterized as performed.
不完全だが基本
はできている
3The process achieves its purpose in a much more organized
way using organizational assets. Processes typically are well
defined
.
プロセスは定義
されている
4The process achieves its purpose, is well defined, and its
performance is (quantitatively) measured.
業績が定量評価
されている
5The process achieves its purpose, is well defined, its
performance is measured to improve performance, and
continuous improvement is pursued.
継続的改善が
できている
Maturity Level
LevelGeneral CharacteristicsNotes
0Incomplete
Work may or may not be completed toward achieving the
purpose of governance and management objectives in the
focus area.
不完全
1Initial
Work is completed, but full goal and intent of the focus
area are not yet achieved.
初歩的
2Managed
Planning and performance measurement take place,
although not yet in a standardized way.
管理されている
3Defined
Enterprise-wide standards provide guidance across the
enterprise.
定義されている
4Quantitative
The enterprise is data driven, with quantitative
performance improvement.
定量評価
されている
5Optimizing
The enterprise is focused on continuous improvement.
最適化
されている

Data Life Cycle

  • Data capture
    • External acquisition
    • Data entry
    • Signal reception
  • Data maintenance
  • Data synthesis
  • Data usage
  • Data analytics
  • Data publication
  • Data archival
  • Data purging

Records Management

  • Federal, state, and local document retention requirements
  • Requirements of the Sarbanes-Oxley Act of 2002
  • Statute of limitation information
  • Accessibility
  • Records of records

Cyberattacks

  • Copyright infringement
  • Denial of Service (DOS)
    • Distributed Denial of Service (DDOS)
    • Internet of Things (IoT)
    • botnet
  • Buffer overflow attacks
  • Password attacks
    • Brute force attacks
    • intrusion-detection systems
  • Phishing
  • Malware
    • Spyware
    • bot
    • zombie
  • Ransomware
  • Pay-per-click abuse
  • Social engineering
  • Dumpster diving

Defenses Against Cyberattack

  • Encryption
  • Ethical hackers
    • intrusion testing
    • penetration testing
    • vulnerability testing
  • Advanced firewalls
    • packet filtering
    • Packets
    • Next Generation Firewalls

Access Controls

Logical Access Controls

  • To restrict data access only authorized users ー 次の内の2つ!
    • Something you know
      • 母親の旧姓
    • Something you are
      • 生体認証
    • Something you have
      • token

Two-Factor authorization

  • Other user access consideration
    • Automatic locking or logoff policies
    • Logs of all login attempts, whether successful or not
    • Accounts that automatically expire

Physical Access Controls

  • Walls and fences
  • Locked gates and doors
  • Manned guard posts
  • Monitored security cameras
  • Guard dogs
  • Alarm systems
  • Smoke detectors and fire suppression systems
  • Physical access
    • card access
  • Biometric

コメント