IT Security and Governance

Mitigating Risk for Information Technology The risk management plan to deal with the situation for this particular assignment is two-fold in nature. Specifically, it is designed to account for the external breach of the company based on its information technology security. Additionally, it must encompass critical facets of data governance which can rectify the weak access-control policies that were taken advantage of for an internal breach.

As such, the risk-management policy will address both of these issues holistically through a comprehensive approach that considers data management and data governance in a way that encompasses security measures. The resulting governance mechanisms that are advocated as part of this policy should unequivocally reduce the risk of data breaches, both internally and externally. It is important to understand just how effective data governance can ameliorate the two security issues described in this assignment prior to formalizing it as part of this risk-management policy.

Data governance is a long-term program for data management that offers a formal accountability of the rules, roles and responsibilities that are required for sustainable and orderly access of data as an organization wide asset. At a high level, then, it is necessary to create a data governance council consisting of both domain experts and upper level management to determine the sort of policies necessary to prevent data breaches and orderly management of data.

It is also vital to assign data stewards to ensure that the policies determined are readily enforced; typically stewards should encompass members of both IT departments as well as the business. In regards to the sort of unauthorized access of data in the internal breach for this assignment, the aforementioned councils and stewards are responsible for ensuring that data is accessible on a need-to know basis that is codified not only by one's business or organizational domain, but also by one's particular job function.

At the implementation level, there are a number of governance tools and vendor solutions that can facilitate this sort of role-based access -- which is a hallmark of effective data governance, whether information is stored internally or externally, on an organization's physical premises or in the cloud.

Moreover, some of the more competitive governance solutions also offer a degree of traceability and data lineage so that it is possible to discern who has accessed what data, what changes they made to it, and even what actions they took next from the same computer. Again, these solutions also offer portals so that IT professionals can have an oversight layer of data governance to view what data employees are accessing and how, which can greatly mitigate the risk of internal breaches due to unauthorized data access.

The data governance policies and procedures outlined in this risk-management policy will also extend to the way that data is protected from internal threats as well. Once those roles, responsibilities and rules are determined and a governance solution is deployed that facilitates role-based access (which is the crux of this risk-management policy) it is necessary to extend that governance to external security issues.

It is perhaps most advantageous to address the confidentiality of potentially sensitive financial customer data via mechanisms that can preserve that data in the event that there is an external breach before addressing means of breach. There are numerous methods for protecting this data and making it unusable to those who do manage to breach an organization's external defenses. Encryption, masking, and tokenization are all valid means of making data unreadable or gibberish to those who lack the technology to transform these defense mechanisms into the proper data (Harper, 2014).

Redaction technologies can also augment security by removing sensitive data from certain repositories without altering data that is less sensitive. Finally, the last aspect of the risk-management policy would involve utilizing a cloud data provider to store the sort of sensitive and potentially identifiable data that a company has. There are numerous security benefits to doing so, which includes the fact that essentially, a company is outsourcing its information technology security.

Not only do cloud service providers routinely utilize the sort of security measures denoted in the previous paragraph of this document, but they oftentimes have the sort of physical security measures that can surpass that of enterprises with less technological and monetary resources to devote to such a cause. According to Harper (2014), "Oftentimes, cloud service providers have their own security measures related to access and fortifying the physical environment in which the data actually resides once moved to the cloud." Thus, it is.