Your company holds a lot of data in digitized format. Some of that information relates to contracts and business processes. Your competition would like to get hold of those details. Other data on your system records personal details of employees, customers, and sometimes suppliers. You particularly need to prevent access to this information because there are legal requirements that expect you to protect this category of data. The loss of income that legal action would cause could close down your enterprise.

So, you need to protect all of the data on your system – that means information about how you do business and information about others. In the case of your business records, you also need to protect it from destruction. Data governance is the method that you use to keep information secure.

There are three categories of threats to the data on your system:

We get into a lot of detail on data governance and the tools we include below, but in case you are short of time, here is our list of the best tools for data governance tools:

  • SolarWinds Access Rights Manager (FREE TRIAL) Controls document and resource access.

  • ManageEngine ADAudit Plus (FREE TRIAL) Manages log files and produces standards compliance audits.

  • Smartsheet Data governance project templates.

  • SENF Locates sensitive data.

  • N-able Cove Data Protection For data discovery, backup, and recovery.

  • Blackberry Unified Endpoint Management Secures access to applications and data on all endpoints, including mobile devices.

  • SolarWinds Security Event Manager (FREE TRIAL) Collects and manages log files, protecting them against tampering.

  • OSSEC An intrusion prevention system.

  • Symantec Data Loss Prevention Protects data from theft.

  • Outsider intrusion

  • Insider theft

  • Corruption or destruction

Data controls

Although your IT system is a very efficient automatic data processor, the way organizations store the information that feeds into it can be very haphazard. You will be surprised to learn that you probably do not know where all of your data is held.

When you move towards a data governance policy, you first need to locate all instances. You should decide whether to centralize all data or leave it in distributed locations. Either way, you need to back them up. You should create a backup strategy that decides the frequency of copying and whether those copies should be made available live, should be stored as versions of files, should be replacements of existing backups, and what recovery procedures you should implement. You should decide where those backups are kept and you need to ensure that they are secure.

Once you have gotten your data protection in place, you need to work out how data is going to be made available to employees, exactly who should be able to see it, who can change it, who can delete it, and who can copy it.

You also need to decide how long you should keep each category of data and how you should securely retire it.

Data loss protection vs data continuity vs data stewardship vs data governance

The section above outlines the tasks you need to perform in order to manage the data in your business. However, there are several terms that describe these responsibilities.

The protection of data from theft is called “data loss protection.” The backing up and recovery of data is called “business continuity.” “Data stewardship” is the practice of ensuring that no one is able to use the information that you store for purposes other than the explicit needs of your business. “Data governance” covers all of these data management processes.

A priority of data governance is to recognize the value of data. That is not just its value to you and your business, but also the value that it could have to others.

The value of data protection measures lies in the cost to the business of paying compensation to individuals should it be stolen and abused for malicious purposes. Another cost of data disclosure is the effect of legislation. Your business can be fined or shut down by the government if you don’t protect the data held about other businesses and private individuals. You and key employees could be imprisoned, and you could all be banned from holding positions of responsibility.

Loss of reputation is another potential cost of data loss and lack of correct data governance. Conversely, effective data governance assures trust in your brand, enhances your business’s reputation, and strengthens the enterprise’s money-making potential.

Implementing data governance

Data governance is implemented by tools. You should put in place automated procedures to manage your data and secure it rather than expecting a technician to implement the strategy manually. However, there are many variables within each task that need to be set. So, you will need to make a lot of decisions upfront about how you implement your data governance policy.

The key deliverable for data governance is a policy document. This should outline all of the requirements of the data management system that will be put into place. You will decide on the goals and time horizons for each area of management.

Examples of the type of decisions that you need to make include the number of “days data” that your company could afford to lose. This will dictate the frequency of backups. You should write out a policy for each category of the data that your company holds:

  • Financial data
  • Operational transaction data
  • Business reference information (contracts and plans)
  • Personally identifiable information

Your obligations for each type of data are different. You should also identify the data security standards that are relevant to your industry and domicile.

Data governance policy

The actual document that you will produce in your strategy phase is the data governance policy. A key point in this document is the definition of user roles for each category of data. First, you need to nominate a Chief Information Officer (CIO) and the technicians and administrators who will be in charge of implementing the data governance policy. This team is called the Data Governance Board and will carry out the work to create, refine, and implement the data governance policy.

Identify the job types that need to have data access. Each should have access rights to see, create, amend, or delete data. Keep in mind that sensitive data will be held in documents and database. The usage of each should be guided by applications, such as document management systems and data access screens – ensuring that no one gets direct access to data and that all actions that operate on your data stores are logged.

The exact steps that you need to implement data governance depend greatly on the type of data that your business handles. Create a project library for your governance policy, start off with an overview definition, and work down to more and more details. The Data Governance Institute proposes the following project framework:

Rules and Rules of Engagement

  • Mission and Vision
  • Goals, Governance Metrics and Success Measures, and Funding Strategies
  • Data Rules and Definitions
  • Decision Rights
  • Accountabilities
  • Controls

People and Organizational Bodies

  • Data Stakeholders
  • A Data Governance Office
  • Data Stewards

Processes

  • Proactive, Reactive, and Ongoing Data Governance Processes

Data governance implementation

The implementation of a data governance policy is called “data management.” The strategy needs to be integrated into day-to-day working practices and should be a specific process. The Data Governance Board will continue to monitor the effectiveness of the policy and make adjustments accordingly.

Your data management task will fall into the following categories:

  • Data discovery
  • Access rights management
  • Access logging and log management
  • Intrusion prevention
  • Standards compliance auditing
  • Data backup strategy
  • Data recovery strategy

For each of these tasks, you will need an automated tool. You are unlikely to find a single data management tool that you like and that effectively performs all of the processes that you will need to implement. Look for a blend of separate tools that you can organize into your own data management suite.

Data management tools

With these selection criteria in mind, we identified a shortlist of governance tools that can be tailored to track compliance with specific standards.

Our methodology for selecting a data governance tool

We reviewed the market for services that enable you to supervise data privacy compliance and analyzed options based on the following criteria:

  • Activity logging
  • Sensitive data management
  • User account management
  • Log auditing facilities
  • Compliance reporting automation
  • A free trial or a demo package that provides a try-before-you-buy opportunity
  • Good value for money that provides GRC functions and can be integrated into system monitoring tools

You can read more about these tools in the following sections.

1. SolarWinds Access Rights Manager (FREE TRIAL)

SolarWinds Access Rights Manager will give you a report of your current user community and the permissions granted to each person.

Key Features:

  • Data loss prevention
  • Active Directory auditing
  • Reset security settings
  • Access permissions controls
  • Compliance reporting

This is your starting point for the user management aspect of the data governance strategy. Once you have defined clear user groups, assigned individual accounts to groups, and set the permissions for each, you can implement that new policy through the Access Rights Manager.

The tool monitors Active Directory, Microsoft Exchange, Windows File Share, and SharePoint. The reporting module includes auditing for GDPR, HIPAA, and PCI DSS compliance. The software installs on Windows Server and you can get it on a 30-day free trial.

Pros:

  • Provides a clear look into permission and file structures through automatic mapping and visualizations
  • Preconfigured reports make it easy to demonstrate compliance
  • Any compliance issues are outlined after the scan and paired with remediation actions
  • Sysadmins can customize access rights and control in Windows and other applications

Cons:

  • SolarWinds Access Rights Manager is an in-depth platform designed for sysadmin which may take time to fully learn

2. ManageEngine ADAudit Plus (FREE TRIAL)

EDITOR’S CHOICE

SolarWinds Access Rights Manager is our top pick for a data governance tool because it offers controls over user accounts and resource permissions, which is the basis of data protection. User access management is an essential part of data protection and activity tracking can’t be implemented without accurate user definitions. Tightening account password policies reduce the risk of account takeover, which can be a major threat to data security. The ability to link activity to user identities aids in accurate logging and helps to reduce the risk of data theft. Compliance reporting is provided by templates for specific data privacy standards.

Download: Get a 30-day free trial

Official Site: https://www.solarwinds.com/access-rights-manager/registration

OS: Windows Server

ManageEngine ADAudit Plus is a useful tool for implementing SOX, HIPAA, PCI DSS, FISMA, GDPR, and GLBA compliance. The “AD” in the name of the tool explains that this security system focuses on Active Directory. The tool monitors your AD implementation, logging any access to the permission database and backing up changes so that they can be reversed.

  • Prevent unauthorized AD changed
  • Permissions assessment
  • Access rights tightening
  • File integrity monitoring

The dashboard for the tool displays alerts every time permissions are changed or user records are added or deleted. ADAudit Plus logs can be archived and stored for three years, making them available to the tool’s reporting and auditing utility.

This tool installs on Windows and is available in both free and paid editions. You can get a 30-day free trial of the Professional edition.

  • Detailed reporting, can generate compliance reports for all major standards (PCI, HIPAA, etc)

  • Supports multiple domains, great for large enterprises

  • Supports delegation for NOC or helpdesk teams

  • Allows you to visually view share permissions and the details of security groups

  • Has a steeper learning curve than similar tools

ManageEngine ADAudit Plus Start 30-day FREE Trial

3. Smartsheet

Smartsheet is a team project library application. The tool includes template forms that are specifically written for data governance. You set a project mission and then follow through many layers of forms, assigning tasks with deadlines to different team members or groups.

  • Adaptable online forms
  • Library for compliance checklists
  • Assignable tasks

The environment also includes planning utilities, such as critical path analysis and timeline estimates.

Smartsheet isn’t just a data governance planning tool. You can use it to manage any project that your company takes on once the data governance project has been settled. It can even be used as a Help Desk management system. You can get a 30-day free trial of Smartsheet that will give you the opportunity to see the different business functions that it could support.

  • Designed specifically for data governance

  • Offers many customization options

  • Features solid team collaboration tools

  • Dual-purpose, can use for managing other projects

  • Very manual process, would like to see more examples and templates for new users

  • Can be tough to use without planning or guidance

4. SENF

When you implement your data governance policy, your first task will be to locate all of the data on your system. If you hold personally-identifiable information, you will find SENF useful.

  • Sensitive data locator
  • Pattern searches
  • Easy to manage

The program performs a system search for data format patterns, such as credit card numbers and social security numbers. The results report gives you the locations of these data instances.

“SENF” stands for “Sensitive Number Finder.” It is a free tool that was developed by the University of Texas at Austin’s Information Security Office – they still maintain and develop the program. SENF runs on Windows, Linux, Mac OS, and Unix. The software has been available on a GitHub repository but has been removed since this article was first published.

  • Free to use

  • Supports cross-platform functionality across Windows, Linux, and Mac OS

  • Is easy to launch and doesn’t stress systems resources

  • Fairly limited in what it can do proactively

  • Compared to newer tools, SENF is outdated in terms of functionality

  • Was removed from GitHub, can be hard to find

5. N-able Cove Data Protection

The N-able Cove Data Protection service combines backup management software and the storage space – the company operates data centers around the globe.

  • Data backup system
  • Cloud storage
  • Made for managed service providers

Cloud storage is the best solution for backup – keeping copies on your own site risks both the original and backup being destroyed by environmental events.

Data transfers are made quicker through compression. Data is protected by AES encryption, both in transit and in the cloud storage. Only your account has access to the decryption key, so even the data center staff is unable to read your records. The dashboard enables you to command data recovery to your site or to a different site. N-able offers a 30-day free trial of the Cove Data Protection service.

  • The interface is simple and easy to learn

  • Designed with MSPs in mind, with multi-tenant features and reporting capabilities

  • Scales well as a cloud-based application

  • Can back up data from other cloud providers like OneDrive

  • N-able Cove Data Protection is a highly detailed tool designed for IT professionals and may take time to fully explore all features available

6. BlackBerry Unified Endpoint Management

Available for installation on site or as a Cloud service, this system manages mobile devices with Windows, macOS, iOS, Android, Windows Phone, and BlackBerry and also wearable devices and IoT equipment. You can configure devices en masse by device type or user function and create secure areas for corporate use on user-owned devices.

  • Deployment options
  • Endpoint configuration control
  • Mobile device tracking

Different plans include different levels of functions. You can include mobile application management and mobile content management, which will protect the documents and data accessed from mobile devices. Other options include secure email, messaging, and collaboration software.

Blackberry UEM can be assessed with a free trial.

  • Sleek highly customizable interface

  • Cross-platform support with Windows, Mac OS, Linux, Android, and iOS

  • Available on-premise and as a cloud service

  • Would like to see more options for mobile security

  • Message sync can delay emails

  • Implementation is fairly complex when compared to similar solutions

7. SolarWinds Security Event Manager (FREE TRIAL)

Gathering event messages and storing them in log files is an essential task for data governance. You need to track all actions performed on data and store records of those events. You also need to ensure that intruders can’t cover their tracks by modifying the records in log files. The SolarWinds SecurityEvent Manager performs all of these tasks.

  • SIEM system
  • Automated responses
  • Data protection

The dashboard for the tool shows all log messages live as they travel to files. The data viewer includes analysis utilities. The tool includes pre-written report formats for auditing compliance with data protection standards. The Security Event Manager runs on Windows Server, but it is able to collect log messages arising from any operating system.

You can try SolarWinds SecurityEvent Manager on a 30-day free trial.

  • Built with enterprise in mind, can monitor Windows, Linux, Unix, and Mac operating systems

  • Supports tools such as Snort, allowing SEM to be part of a larger NIDS strategy

  • Over 700 pre-configured alerts, correlation rules, and detection templates provide instant insights upon install

  • Threat response rules are easy to build and use intelligent reporting to reduce false positives

  • Built-in reporting and dashboard features help reduce the number of ancillary tools you need for your IDS

  • Feature dense – requires time to fully explore all features

SolarWinds Security Event Manager Download 30-day FREE Trial

8. OSSEC

This open-source, free intrusion prevention system is owned by cybersecurity company, Trend Micro. The tool checks on details in log files and automatically takes action to block user accounts and transmission source IP addresses.

  • Intrusion prevention system
  • Detects malicious activity
  • Community tips

The connection between a detected event and a remediation action is called a “policy.” It is possible to write these rules yourself. However, the active user community for the tool is a good source for pre-written policies. The community provides tips and tricks for OSSEC and you can buy a support package as an addition from Trend Micro.

OSSEC can be downloaded from GitHub and it runs on Unix, Linux, Mac OS, and Windows. There is no front end for this tool, but you can interface it with Kibana, Splunk, or Graylog.

9. Symantec Data Loss Prevention

  • Can be used on a wide range of operating systems, Linux, Windows, Unix, and Mac

  • Can function as a combination SIEM and HIDS

  • Interface is easy to customize and highly visual

  • Community-built templates allow administrators to get started quickly

  • Requires secondary tools like Graylog and Kibana for further analysis

  • Open-source version lacks paid support

Symantec Data Loss Prevention scans your system for sensitive data on installation. The software is driven by policies, which dictate the actions that the service will take on detection of unacceptable actions. These actions are all logged, which makes the auditing capabilities of the tool good for HIPAA, GDPR, and PCI DSS standards compliance.

  • Spots malicious behavior
  • Controls data access
  • File copy tracking

Sensitive documents are encrypted and access to them is controlled by authentication. Copying, movement, and emailing of these files can be banned and you can fingerprint every copy when files are distributed, making it easy to detect the source of leaks. The system is also able, on command, to destroy files completely, leaving no traces on the device. The tool includes user tracking, which is useful if you need to investigate an account that has triggered an alert through suspicious activity.

  • Combines DLP with user activity tracking, giving it additional functionality

  • Automatic scanning can map out sensitive locations where data is stored

  • Offers pre-built temples and works flow for major compliance standards, offering good out of box functionality

  • Supports file integrity monitoring through a fingerprinting system

  • Could integrate better with other Symantec tools

  • Need better Mac functionality