Part 1 Section F.2. Data Governance データガバナンス


Data governance encompasses the practices, procedures, processes, methods, technologies, and activities that deal with the overall management of the data assets and data flows within an organization.

  • Data availability
  • Data usability
  • Data integrity
  • Data security
  • Data privacy
  • Data integration
  • System availability
  • System maintenance
  • Compliance with regulations
  • Determination of roles and responsibilities of managers and employees
  • Data flows

IT Governance and Control Framework

Internal Control – Integrated Framework by COSO

The internal control system should consist of the following five interrelated components.

  1. The control environment
  2. Risk assessment
  3. Control activities
  4. Information and communication
  5. Monitoring



Information Systems Audit and Control Association

現在は、広く情報システム全般に関して取り扱っているため、単に ISACA として知られている。


Control OBjectives for Information and Related Technology

Governance is usually the responsibility of the board of directors under the leadership of the chair of the board of directors.

Management is usually the responsibility of the executive management under the chief executive officer’s (CEO’s) leadership.

Governance System
  • Process
  • Organization structures
  • Principles, policies, and frameworks
  • Information
  • Culture, ethics, and behavior
  • People, skills, and competencies
  • Services, infrastructure, and applications
Governance and Management Objectives
  • Governance Objectives
    • EDM – Evaluate, Direct and Monitor
  • Management Objectives
    • APO – Align, Plan, and Organize
    • BAI – Build, Acquire, and Implement
    • DSS – Deliver, Service, and Support
    • MEA – Monitor, Evaluate, and Assess
Design Factors for a Governance System
  1. Enterprise strategy
  2. Enterprise goals
  3. Risk profile
  4. IT – related issues
  5. Threat landscape
  6. Compliance requirements
  7. Role of IT
    • Support
    • Factory
    • Turnaround
    • Strategic
  8. Sourcing model for IT
  9. IT implementation methods
    • Agile
      • Individuals and interactions
      • Working software
      • Customer collaboration
      • Responding to change
    • DepOps -Development and operations 開発と運用をワンチームで!
    • Traditional
    • Hybrid, or bimodal IT
  10. Technology strategy
    • First mover
    • Follower
    • Slow adopter
  11. Enterprise size
Goals Cascade
  • Stakeholder Drivers and Needs
    • Enterprise Goals
      • Alignment Goals
        • Governance and Management Objectives
Capability Level
LevelGeneral CharacteristicsNotes
0lack of any basic capability; incomplete approach to address
government and management purpose; may or may not be
meeting the intent of any Process practices.
1The process more or less achieves its purpose though the
application of an incomplete set of activities that can be
characterized as performed.
2The process achieves its purpose through the application
of a basic, yet complete, set of activities that can be
characterized as performed.
3The process achieves its purpose in a much more organized
way using organizational assets. Processes typically are well
4The process achieves its purpose, is well defined, and its
performance is (quantitatively) measured.
5The process achieves its purpose, is well defined, its
performance is measured to improve performance, and
continuous improvement is pursued.
Maturity Level
LevelGeneral CharacteristicsNotes
Work may or may not be completed toward achieving the
purpose of governance and management objectives in the
focus area.
Work is completed, but full goal and intent of the focus
area are not yet achieved.
Planning and performance measurement take place,
although not yet in a standardized way.
Enterprise-wide standards provide guidance across the
The enterprise is data driven, with quantitative
performance improvement.
The enterprise is focused on continuous improvement.

Data Life Cycle

  • Data capture
    • External acquisition
    • Data entry
    • Signal reception
  • Data maintenance
  • Data synthesis
  • Data usage
  • Data analytics
  • Data publication
  • Data archival
  • Data purging

Records Management

  • Federal, state, and local document retention requirements
  • Requirements of the Sarbanes-Oxley Act of 2002
  • Statute of limitation information
  • Accessibility
  • Records of records


  • Copyright infringement
  • Denial of Service (DOS)
    • Distributed Denial of Service (DDOS)
    • Internet of Things (IoT)
    • botnet
  • Buffer overflow attacks
  • Password attacks
    • Brute force attacks
    • intrusion-detection systems
  • Phishing
  • Malware
    • Spyware
    • bot
    • zombie
  • Ransomware
  • Pay-per-click abuse
  • Social engineering
  • Dumpster diving

Defenses Against Cyberattack

  • Encryption
  • Ethical hackers
    • intrusion testing
    • penetration testing
    • vulnerability testing
  • Advanced firewalls
    • packet filtering
    • Packets
    • Next Generation Firewalls

Access Controls

Logical Access Controls

  • To restrict data access only authorized users ー 次の内の2つ!
    • Something you know
      • 母親の旧姓
    • Something you are
      • 生体認証
    • Something you have
      • token

Two-Factor authorization

  • Other user access consideration
    • Automatic locking or logoff policies
    • Logs of all login attempts, whether successful or not
    • Accounts that automatically expire

Physical Access Controls

  • Walls and fences
  • Locked gates and doors
  • Manned guard posts
  • Monitored security cameras
  • Guard dogs
  • Alarm systems
  • Smoke detectors and fire suppression systems
  • Physical access
    • card access
  • Biometric