データガバナンスの定義
Data governance encompasses the practices, procedures, processes, methods, technologies, and activities that deal with the overall management of the data assets and data flows within an organization.
- Data availability
- Data usability
- Data integrity
- Data security
- Data privacy
- Data integration
- System availability
- System maintenance
- Compliance with regulations
- Determination of roles and responsibilities of managers and employees
- Data flows
IT Governance and Control Framework
Internal Control – Integrated Framework by COSO
The internal control system should consist of the following five interrelated components.
- The control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring
COBIT® by ISACA
ISACA
Information Systems Audit and Control Association
現在は、広く情報システム全般に関して取り扱っているため、単に ISACA として知られている。
COBIT
Control OBjectives for Information and Related Technology
Governance is usually the responsibility of the board of directors under the leadership of the chair of the board of directors.
Management is usually the responsibility of the executive management under the chief executive officer’s (CEO’s) leadership.
Governance System
- Process
- Organization structures
- Principles, policies, and frameworks
- Information
- Culture, ethics, and behavior
- People, skills, and competencies
- Services, infrastructure, and applications
Governance and Management Objectives
- Governance Objectives
- EDM – Evaluate, Direct and Monitor
- Management Objectives
- APO – Align, Plan, and Organize
- BAI – Build, Acquire, and Implement
- DSS – Deliver, Service, and Support
- MEA – Monitor, Evaluate, and Assess
Design Factors for a Governance System
- Enterprise strategy
- Enterprise goals
- Risk profile
- IT – related issues
- Threat landscape
- Compliance requirements
- Role of IT
- Support
- Factory
- Turnaround
- Strategic
- Sourcing model for IT
- IT implementation methods
- Agile
- Individuals and interactions
- Working software
- Customer collaboration
- Responding to change
- DepOps -Development and operations 開発と運用をワンチームで!
- Traditional
- Hybrid, or bimodal IT
- Agile
- Technology strategy
- First mover
- Follower
- Slow adopter
- Enterprise size
Goals Cascade
- Stakeholder Drivers and Needs
- Enterprise Goals
- Alignment Goals
- Governance and Management Objectives
- Alignment Goals
- Enterprise Goals
Capability Level
| Level | General Characteristics | Notes |
|---|---|---|
| 0 | lack of any basic capability; incomplete approach to address government and management purpose; may or may not be meeting the intent of any Process practices. | 基本的能力の欠如 |
| 1 | The process more or less achieves its purpose though the application of an incomplete set of activities that can be characterized as performed. | 何だか分からない けれど目的達成 |
| 2 | The process achieves its purpose through the application of a basic, yet complete, set of activities that can be characterized as performed. | 不完全だが基本 はできている |
| 3 | The process achieves its purpose in a much more organized way using organizational assets. Processes typically are well defined. | プロセスは定義 されている |
| 4 | The process achieves its purpose, is well defined, and its performance is (quantitatively) measured. | 業績が定量評価 されている |
| 5 | The process achieves its purpose, is well defined, its performance is measured to improve performance, and continuous improvement is pursued. | 継続的改善が できている |
Maturity Level
| Level | General Characteristics | Notes |
|---|---|---|
| 0 | Incomplete Work may or may not be completed toward achieving the purpose of governance and management objectives in the focus area. | 不完全 |
| 1 | Initial Work is completed, but full goal and intent of the focus area are not yet achieved. | 初歩的 |
| 2 | Managed Planning and performance measurement take place, although not yet in a standardized way. | 管理されている |
| 3 | Defined Enterprise-wide standards provide guidance across the enterprise. | 定義されている |
| 4 | Quantitative The enterprise is data driven, with quantitative performance improvement. | 定量評価 されている |
| 5 | Optimizing The enterprise is focused on continuous improvement. | 最適化 されている |
Data Life Cycle
- Data capture
- External acquisition
- Data entry
- Signal reception
- Data maintenance
- Data synthesis
- Data usage
- Data analytics
- Data publication
- Data archival
- Data purging
Records Management
- Federal, state, and local document retention requirements
- Requirements of the Sarbanes-Oxley Act of 2002
- Statute of limitation information
- Accessibility
- Records of records
Cyberattacks
- Copyright infringement
- Denial of Service (DOS)
- Distributed Denial of Service (DDOS)
- Internet of Things (IoT)
- botnet
- Buffer overflow attacks
- Password attacks
- Brute force attacks
- intrusion-detection systems
- Phishing
- Malware
- Spyware
- bot
- zombie
- Ransomware
- Pay-per-click abuse
- Social engineering
- Dumpster diving
Defenses Against Cyberattack
- Encryption
- Ethical hackers
- intrusion testing
- penetration testing
- vulnerability testing
- Advanced firewalls
- packet filtering
- Packets
- Next Generation Firewalls
Access Controls
Logical Access Controls
- To restrict data access only authorized users ー 次の内の2つ!
- Something you know
- 母親の旧姓
- Something you are
- 生体認証
- Something you have
- token
- Something you know
Two-Factor authorization
- Other user access consideration
- Automatic locking or logoff policies
- Logs of all login attempts, whether successful or not
- Accounts that automatically expire
Physical Access Controls
- Walls and fences
- Locked gates and doors
- Manned guard posts
- Monitored security cameras
- Guard dogs
- Alarm systems
- Smoke detectors and fire suppression systems
- Physical access
- card access
- Biometric
コメント