Data security governance

Currently, the scale of China's digital economy has reached 50.2 trillion yuan, accounting for 41.5% of the country's GDP (source: China's Digital Economy Development Report (2022) released by the National Cybersecurity Administration). The formation of the scale of the digital economy is inseparable from the process of data governance for the valorization of 'data'. At the same time, the development of the digital economy has also brought corresponding security issues, and the state has issued a series of laws and regulations such as the Cybersecurity Law and the Data Security Law to standardize the governance of data security in the process of valorization.

Data governance and data security governance have become important issues that must be faced by all industries in the process of digital transformation. However, many people are not clear about the boundaries and differences between these two concepts.The following will analyze 'data governance' and 'data security governance' from multiple dimensions such as concepts, similarities and differences, and relationships, to facilitate a better understanding of these two concepts.

Data governance

The concept of data governance was first proposed internationally by the Data Governance Institute (DGI), with the definition being: Data governance is a system that implements decision-making authority and division of responsibilities through a series of information-related processes.It is a comprehensive data governance framework aimed at achieving efficient utilization and maximum value of data through standardized data management, improved data quality, and protection of data security.

The Data Management Association (DAMA) is one of the important organizations and authoritative institutions in the field of data management, and its definition of data governance is as follows:Data governance is the collection of activities that exercise power and control over data asset management, which is the core of various data management and guides the execution of all data management functions.

The concept of data governance is explicitly defined in the 'Information Technology Service Governance' in China:Data governance is the collection of related control activities, performance, and risk management activities related to data resources and their application process.

The 'Data Management Capability Maturity Model' (DCMM) defines data governance as:The process of processing, formatting, and standardizing data.As one of the eight core capability domains of data management maturity assessment, data governance assesses the organization, system, and communication aspects of these three capability items.

By integrating the explanations and definitions of data governance from various international and domestic institutions and standards, we can summarize it as:The goal of data governance is to enhance data value, which is the foundation for organizations to implement their digital transformation strategy. It consists of a management system and a technical system, including organization, system, process, technology, and supporting tools.

Data security governance

Since the concept of 'data security governance' was proposed, many institutions have more often proposed the concepts and methodologies of data security governance rather than providing a clear definition. For example:

● Gartner's data security governance framework suggests that data security governance cannot be merely a product solution that integrates various data security tools. Instead, it needs to penetrate the entire organizational structure from top to bottom, cover all personnel in the organization, form a consensus among all staff on the goals of data security governance, and take appropriate management and technical measures to effectively protect the full lifecycle security of organizational data.

● Microsoft's DGPC data security governance framework believes that data security governance needs to focus on the three core areas of personnel, processes, and technology, and collaborate with existing security frameworks (usually the integration of existing management systems) to achieve the security governance goals of privacy, confidentiality, and compliance.

● In July 2021, the China Academy of Information and Communications Technology released the 'Data Security Governance Practice Guide (1.0)', explaining data security governance from both a broad and narrow perspective in line with China's national conditions:

Broadly speaking:

Data security governance is a set of activities jointly participated in and implemented by relevant departments at the national level, industry organizations, research institutions, enterprises, and individuals under the guidance of the national data security strategy, aiming to create a good environment for the whole society to jointly maintain data security and promote development.

Narrowly speaking:

Data security governance refers to a set of activities carried out in collaboration by multiple departments under the guidance of the organization's data security strategy, ensuring that data is effectively protected and legally utilized.

In light of the explanations, methodologies, and conceptual interpretations of data security governance by various parties, let's understand data security governance from the perspective of objectives:Data security governance is a set of activities centered around data, aiming to protect its confidentiality, integrity, and availability.

Analysis of similarities and differences

Although both the fields of 'data governance' and 'data security governance' involve the management and protection of data, there are some differences in terms of objectives, methods, and responsibilities.

Differences in goals

The main goal of data governance is to ensure the quality, accuracy, completeness, and reliability of organizational data to meet the organization's decision-making and business needs. Data governance involves aspects such as data collection, storage, processing, analysis, and sharing, aiming to maximize the value of data; while the main goal of data security governance is to protect the confidentiality, integrity, and availability of organizational data to prevent data from being illegally obtained, tampered with, or destroyed. Data security governance involves aspects such as the formulation of security policies, the implementation of security controls, and the response to security events, aiming to ensure the security of organizational data.

Differences in methods

The main methods of data governance include data standardization, metadata management, data quality management, and data architecture management. Through these methods, organizations can manage data in a standardized manner to ensure the accuracy and consistency of data. While the main methods of data security governance include identity authentication, access control, encryption technology, etc. Through these methods, organizations can encrypt and control permissions for data to prevent illegal access and tampering.

Differences in responsibilities

In an organization, data governance is usually responsible for data administrators or data quality experts, who are responsible for collecting, analyzing, and managing organizational data, and ensuring that data meets standards and specifications; while data security governance is usually responsible for full-time data security experts, who are responsible for formulating security policies, implementing security measures, and monitoring security events to ensure the security of organizational data.

The relationship between the two

Data governance is to ensure the accuracy, completeness, and reliability of data, while data security governance is to protect these data from being destroyed or leaked. Therefore, in the process of implementing data governance, it is necessary to consider the factors of data security to ensure that data is not accessed or attacked maliciously. Conversely, in the process of implementing data security governance, it is also necessary to consider the factors of data governance to ensure that data can be managed and used correctly.

In addition,Data governance and data security governance also have a complementary role.. In the process of implementing data governance, it is necessary to classify and integrate data to improve the value and utilization efficiency of data; while in the process of implementing data security governance, different security measures need to be taken for different types of data to protect the core assets of the organization from threats. Therefore, data governance and data security governance can promote each other, improve the organization's management and protection capabilities for data.

Data governance and data security governance are two indispensable aspects of an organization. They are closely connected with each other. The priority selection of data governance and data security governance in the process of organizational digital transformation, from the value generated by both, is also the priority selection of the organization for data value and data security. However, ensuring the security of data is one of the necessary conditions for maximizing the value of data. The value generated by the security guarantee of data is based on the value of data itself. Value and security should be balanced and unified. Therefore,Data governance and data security governance also need to achieve balance and unity.