Governance (NIST)

"...downtime is bad, but data loss will get you fired" - Bill Turner (Privacy, Data protection, & Cybersecurity FIP, CIPM, CDSPE, CIPT, CHPC, C|CISO, CIPP /US /G /C)

What are some Data Governance Standards?
"Data Governance (DG) is the process of managing the availability, usability, integrity and security of the data in enterprise systems, based on internal data standards and policies that also control data usage. "

"According to the Data Governance Institute (DGI), it is a practical and actionable framework to help a variety of data stakeholders across any organization identify and meet their information needs."

What does good Data Governance look like?
The key focus areas of data governance include availability, usability, consistency, data integrity and data security." (Source)

What is the difference between Data Management and Data Governance?
"Data Governance involves managing how data is accessed and handled within a larger data management strategy, down to access granted to specific users and compliance protocols. Data Management entails the implementation of tools, processes and architectures that are designed to achieve your company's objectives."

Who is responsible for Data Governance?
"Having established the fact that data is a strategic asset owned by the corporation, three roles (or their equivalent) are typically defined: Data Owners, Data Stewards and Data Custodians. These staff members play a critical role in governing data, in collaboration with other members within their organization. Jan 19, 2012"

  • "Data Owners are either individuals or teams who make decisions such as who has the right to access and edit data and how it's used. "

  • "Data Stewards are responsible for utilizing an organization's data governance processes to ensure fitness of data elements - both the content and metadata. Data Stewards may share some responsibilities with Data Custodians."

  • "Data Custodians are assigned specific data management responsibilities by Data Stewards. Data Custodians typically will control access rights to data he or she manages. Data Custodians implement controls to ensure the integrity, security, and privacy of the data."

6 Steps to a Good Risk Assessment Process...

  1. Identify Your Company's Risks. Consider what you define risk to be.

  2. Create Your Company's Risk Library.

  3. Identify Your Risk Owners.

  4. Identify the Controls to Mitigate & Reduce Risks.

  5. Assess Risk Potential and Impact.

  6. Revisit Annually.


What is NIST compliance?
"Generally speaking, NIST guidance provides the set of standards for recommended security controls for information systems at federal agencies. In many cases, complying with NIST guidelines and recommendations will help federal agencies ensure compliance with other regulations, such as HIPAA, FISMA, GDPR, or SOX. Oct 5, 2020"

What are the five functions described in the NIST Framework?
"The five Functions included in the Framework Core are: Identify, Protect, Detect, Respond, Recover." (Note: Veeam should be a component of this framework: VBR, Veeam One, VAO)

Is NIST compliance mandatory?
"Compliance with National Institute of Standards and Technology (NIST) standards is mandatory depending on the industry in which an organization conducts business. NIST is only mandatory for all United States federal agencies as of 2017. The private sector consumption and use of the NIST framework is voluntary. Nov 5, 2019"

What is NIST 800 series?
"The NIST 800 Series is a set of documents that describe United States federal government computer security policies, procedures and guidelines. The publications can be useful as guidelines for enforcement of security rules and as legal references in case of litigation involving security issues."

  • NIST 800-53 - "NIST SP 800-53 defines the standards and guidelines for federal agencies to architect and manage their information security systems. It was established to provide guidance for the protection of agency's and citizen's private data. Jun 17, 2020."

  • NIST 800-60 - "NIST SP 800-60 addresses the FISMA direction to develop guidelines recommending the types of information and information systems to be included in each category of potential security impact. ... National security systems store, process, or communicate national security information."

  • NIST 800-209 - "In order to address this gap, NIST is releasing Draft Special Publication (SP) 800-209, Security Guidelines for Storage Infrastructure, which includes comprehensive security recommendations for storage infrastructures. Jul 21, 2020"

The NIST Cybersecurity Framework

The Role Of Data Governance In An Effective Compliance Program

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure - (OMB)

Note: SEC 17a-4(f), CFTC 1.31(d), FINRA, and other regulations

SEC 17a-4

HIPAA CFR 164.306, CFR 164.308

  • Does not specify duration of patient health info or backup retention

  • Required: Ensure data integrity, protect against threats, reduce risk

  • Required: Procedures to create retrievable copies and to restore lost data

  • Addressable: Periodic testing of contingency plans


  • MA Organization must keep records for ten years

State regulations
Specify timelines for patient health information retention

  • NY: “Medical records shall be retained…for a period of at least six years from the date of discharge or three years after the patient's age of majority (18 years), …or at least six years after death.”

  • CA: “Patient records shall be preserved for a minimum of seven years following discharge
    of the patient, except unemancipated minors…kept at least one year after the age of 18 years, in any case not less than seven years.”

  • PHI exists in EMR and other clinical systems: Backups are to restore those systems.
    Without PHI purges, last night’s backup has the same records as a backup from one year ago.