A Guide to Data Governance for Privacy, Confidentiality, and

A Guide to Data Governance for Privacy,
Confidentiality, and Compliance
Part 3: Managing Technological Risk
March 2010
Javier Salido, MSc, MBA, CIPP
Senior Program Manager, Trustworthy Computing Group, Microsoft Corporation
Patrick Voon, CGEIT, CISA, CISSP
Senior Governance, Risk, and Compliance Subject Matter Expert, Edgile Inc.
The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of
publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This whitepaper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of
Microsoft.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2010 Microsoft Corp. All rights reserved.
Microsoft is a registered trademark of Microsoft Corp. in the United States and/or other countries. The names of actual companies
and products mentioned herein may be the trademarks of their respective owners.
Microsoft Corp. • One Microsoft Way • Redmond, WA 98052-6399 • USA
Contents
Executive Summary ............................................................................................................................. 1
The Whitepaper Series ........................................................................................................................ 2
Introduction........................................................................................................................................ 4
Information Lifecycle ........................................................................................................................... 5
Technology Domains ........................................................................................................................... 7
Managing Risk with the Risk/Gap Analysis Matrix ................................................................................ 10
Threat Modeling ................................................................................................................................ 14
Conclusion ........................................................................................................................................ 18
Glossary of Terms ............................................................................................................................. 19
Appendix: Example Risk/Gap Analysis Matrix ...................................................................................... 21
References ....................................................................................................................................... 25
1
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
Executive Summary
The past decade has produced an unprecedented accumulation of data. Organizations in general and business
models in particular increasingly rely on confidential data such as intellectual property, market intelligence, and
customers’ personal information. Maintaining the privacy and confidentiality of this data, as well as meeting the
requirements of a growing list of related compliance obligations, are top concerns for government
organizations and enterprises alike. Addressing these challenges requires a cross-disciplinary effort involving a
varied list of players—human resources, information technology, legal, business units, finance, and others—to
jointly devise solutions that address privacy and confidentiality in a holistic way. Data governance is one such
approach that addresses many aspects of data management, including information privacy and security as well
as compliance.
This is the third whitepaper in the series titled “A Guide to Data Governance for Privacy, Confidentiality, and
Compliance.” In it, we examine the core data governance capabilities related to technology:

We briefly examine the concept of the information lifecycle as well as the four categories of products
and technologies— what we call technology domains—that can be used to implement privacy and
confidentiality measures.

We discuss how these ideas can be combined with the data privacy and confidentiality principles
discussed in the first paper in this series to enable threat modeling and risk analysis for privacy,
confidentiality, and compliance. The tool we use is the Risk/Gap Analysis Matrix.

In the appendix, we provide a scenario and an example of how the Risk/Gap Analysis Matrix can be
used to identify privacy, confidentiality, and compliance threats and address the gaps.
2
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
The Whitepaper Series
This whitepaper series aims to answer some key questions that IT managers, security officers, privacy officers,
and risk management officers are asking about how to approach the combined challenges of information
security and privacy and the associated regulatory compliance obligations.
In its broadest form, data governance is an approach that public and private entities can use to organize one
or more aspects of their data management efforts, including business intelligence (BI), data security and
privacy, master data management (MDM), and data quality (DQ) management. This series describes the basic
elements of a data governance initiative for privacy, confidentiality, and compliance and provides practical
guidance to help organizations get started down this path.
The series is meant for organizations of all sizes and for those with regional as well as global focus. Some
might already have an effective IT governance process and information security management system in place,
as well as successful privacy and risk management efforts. Some might just be getting started.
At Microsoft, we believe that in order to deal effectively and efficiently with data confidentiality and privacy
challenges, organizations must adopt a proactive stance, one in which they hold themselves accountable for:

Appropriately protecting the security of customers’ and employees’ personal information, as well as
the organization’s intellectual property and trade secrets

Respecting, preserving, and enforcing customer choice and consent throughout the information
lifecycle, particularly when it comes to deciding how personal information is used and distributed
within and outside the organization
In approaching data privacy and security, organizations should consider the following:


1
Taking a holistic approach to data privacy and security needs as well as related regulatory and internal
compliance requirements. This approach to the planning and implementation of data privacy and
security brings together a range of participants. They could include groups and individuals that:
o
Own business processes that generate, collect, and use data
o
Have specific charters with respect to confidential data, such as the chief privacy officer, the legal
department, and the IT department
Augmenting approaches that focus on mere compliance with “the letter of the law” by implementing
and enforcing data privacy and security measures based on generally accepted principles, 1 state-ofthe-art industry best practices, and self-regulation measures that go beyond mere compliance with
regulations and standards.
Organisation for Economic Co-operation and Development, “OECD Guidelines on the Protection of Privacy and Transborder Flows
of Personal Data,” www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html. American Institute of Certified
Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA), “Generally Accepted Privacy Principles,”
http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles.
3
A Guide to Data Governance for Privacy, Confidentiality, and Compliance

Augmenting prevailing IT privacy and security paradigms—which address threats by restricting access
to data and keeping it from “escaping” well-defined boundaries2—by evaluating threats to confidential
data at different stages of the information lifecycle. This approach helps organizations identify
technical and nontechnical measures that can reduce security and privacy risks to acceptable levels.
The first paper in the series analyzes the data privacy and security challenges that organizations face today,
including an increasingly complex regulatory environment. It also looks at the concept of data governance and
how it can complement ongoing efforts within the organization.
The second paper looks at two of the core capability areas that an organization must develop as part of a data
governance for privacy, confidentiality, and compliance (DGPC) initiative: People and Process.
This paper analyzes the third and final core capability area: Technology. Specifically:
2

It discusses a simple threat modeling technique that can help organizations identify threats against
data security and data privacy as well as threats of noncompliance in specific data flows.

It shows how threats that have been identified can be analyzed and matched against protective
measures that are currently in place, enabling the organization to identify residual risks and determine
appropriate measures to manage them.

These techniques are intended to complement existing measures implemented within the
organization’s control framework (such as COBIT or an information security management system).
Weitzner, Abelson, Berners-Lee, Feigenbaum, Hendler, and Sussman, “Information Accountability,” Massachusetts Institute of
Technology CSAIL Technical Report, June 2007, http://dspace.mit.edu/bitstream/handle/1721.1/37600/MIT-CSAIL-TR-2007034.pdf?sequence=2.
4
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
Introduction
In the first paper in this series, “A Guide to Data Governance for Privacy, Confidentiality and Compliance: Part
1: The Case for Data Governance,” we advocate a DGPC approach for organizations to meet today’s data
security and privacy challenges.
Figure 1 shows the three core capability areas of the DGPC framework: People, Process, and Technology. Each
area comprises specific capabilities that, when implemented successfully, contribute to the desired outcomes.

People: The organization and roles and responsibilities involved in an effective DGPC effort

Process: How the different roles in the DGPC effort come together to manage risk related to data
privacy and confidentiality and define appropriate policies

Technology: Analysis tools for evaluating risks and the technical and manual controls and
technologies for mitigating those risks
Figure 1. Data governance for privacy, confidentiality, and compliance (DGPC) core capability areas and outcomes.
The first two core capability areas were discussed in the second paper in this series, “A Guide to Data
Governance for Privacy, Confidentiality, and Compliance: Part 2: People and Process.” In this paper, we discuss
the third core capability area: Technology. The Technology core capability area consists of three components:
the information lifecycle, the technology domains, and the Risk/Gap Analysis Matrix. Understanding these
5
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
components can help organizations translate DGPC requirements into technical controls and capabilities and
manage risk in their information flows.
Information Lifecycle
Selecting technical controls and activities to effectively protect confidential data requires:

An understanding of how information flows throughout an organization over time

Knowledge of how information is accessed and processed at different stages, by multiple applications
and people and for various purposes
The concept of the information lifecycle is helpful in understanding these requirements. Figure 2 illustrates the
information lifecycle and its phases.
Figure 2. The information lifecycle.
Collect: Most organizations collect data in multiple ways: in person, by mail, from partners, or through
transactions via network and system connections. Information must be classified appropriately, and measures
to address security (for instance, use of two-factor authentication and SSL) and privacy (i.e., providing
adequate notice and capturing user privacy choices and consent) must be taken.
Update: The organization’s data is typically updated several times during its lifecycle. Multiple challenges are
associated with safeguarding the integrity of data. Repeated updates (whether manually or in batch form),
human error, and malicious activity can all compromise the integrity and accuracy of information.
Process: As information becomes easier to share and transmit, it is more frequently subject to processing or
use by multiple applications and people, including third parties. Organizations should ensure that only
authorized individuals can access confidential data, and they should enforce strict conditions for taking data
6
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
outside the organization (such as on a laptop). On the privacy side, organizations should enforce user choice
and consent in a manner that is consistent with organizational policy and with laws and regulations.
Furthermore, data processing generates audit information that includes details such as how the original data
was used, when it was accessed, and by whom. All of the controls applied to the original data should also be
applied to audit data. For example, access to logs that contain security event records must be protected
against tampering.
Delete: With data storage becoming less expensive every day, many organizations conclude that spending
time deciding which records to delete is more costly than simply keeping it all. However, this practice fails to
consider potential liabilities associated with retaining confidential data after it has outlived its usefulness.
Organizations can reduce their exposure to the risk of data breaches by defining a finite lifespan for
confidential data and enforcing policies for its automatic deletion or secure archiving. Lean data retention
practices also offer the added incentive of reduced environmental impact.
Storage: The task of protecting confidential data might seem relatively straightforward when that data is
stored in a single database server inside the datacenter. The effort is far more complex, however, when the
information is moved outside the datacenter—to a database on a laptop, for example—or when it is stored in
unstructured form such as in an e-mail or a text document.
Transfer: As data is copied or removed from storage as part of a transfer, a new information lifecycle begins.
Organizations should place as much emphasis on security and privacy for data that is being transferred as they
do for the original dataset. This requires understanding the transfer vehicles (private network, the Internet,
storage media sent by courier, and so on) as well as their inherent risks. (For example, media sent by courier
or postal mail can be lost or stolen, so it should be encrypted, just like data transferred over the Internet.) It
also requires understanding how the recipient organization’s policies, systems, and practices might differ from
those of the current keepers of the data. (For example, is the recipient a third party with an approved
contract? Do they have the same security capabilities and processes as the current keepers of the data? If not,
should something be done to the data before it is transferred?)
Individuals and departments sometimes run reports or extract subsets of data from centralized databases for
processing—often using desktop data-mining and analysis tools that generate reports and datasets in the form
of document files and spreadsheets. These files can also easily be transferred as e-mail attachments or saved
to laptops, handheld smart devices, or USB drives. Given that more than 60 percent of data breaches in 2009
were attributed to lost or stolen laptops or media, such data transfer practices should be of concern to
organizations.3
3
DataLossDB, http://datalossdb.org.
7
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
Technology Domains
The four technology domains shown in Figure 3 offer a frame of reference for evaluating whether the
technologies that protect data confidentiality, integrity, and availability are sufficient to bring risk down to
acceptable levels.
Figure 3. The four DGPC technology domains.
Secure Infrastructure
Safeguarding confidential information depends fundamentally on a secure technology infrastructure—one that
protects computers, storage devices, operating systems, applications, and the network against malicious
software and hacker intrusions as well as rogue insiders. A combination of preventive and detective controls
should be used to secure all IT infrastructure components. For example, anti-virus technology and regular
software patches and updates should be implemented at the server, computer, device, and application layers
of the IT infrastructure.4
Creating a more secure infrastructure starts with creating applications and using products and services that are
built from the ground up with security in mind. One way to achieve this is to use a set of strong internal
4
Microsoft Forefront TechCenter, http://technet.microsoft.com/en-us/forefront/default.aspx.
8
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
security design and development practices, such as Microsoft’s Security Development Lifecycle (SDL).5 The SDL
is a rigorous process of secure design, coding, testing, review, and response for software that will be deployed
in an enterprise setting, handle confidential data, or regularly communicate via the Internet. The SDL helps
remove security vulnerabilities and minimize the “attack surface” for malicious software and intruders.
Microsoft has also published the Microsoft Privacy Guidelines for Developing Software Products and Services,6
which offer guidance on creating user notification and consent procedures, providing sufficient data security,
facilitating user access, and supplying controls when developing privacy-friendly software products and Web sites.
Identity and Access Control
Identity and access management (IAM or IdM) technologies help protect personal information from
unauthorized access while facilitating its availability to legitimate users. They include authentication
mechanisms to verify identity and to ensure that only valid users can connect to an organization’s systems;
access controls that determine which resources and data a user is allowed to use and in what ways; and
provisioning systems and management technologies that help organizations manage user accounts across
multiple systems and with partners they trust.
IAM technologies enable organizations to manage user identities, credentials, and access rights from creation
through retirement—the complete lifecycle. They help automate and centralize identity lifecycle processes and
tools. From a compliance perspective, IAM capabilities enable an organization to accurately track and enforce
user entitlements across the enterprise, based on defined policies. For instance, when employees leave the
organization, the IAM system can automatically disable their access to all of the target systems in a timely
manner, according to employment termination policies. IAM capabilities also allow for the integration and
management of strong authentication technologies such as smart cards and digital certificates.7
Information Protection
As confidential data is shared within and across organizations, it requires persistent protection from
interception and viewing by unauthorized parties. Organizations must ensure that their databases, document
management systems, and practices correctly classify and safeguard confidential data throughout the lifecycle.
Critical capabilities include the following:

5
Classifying data and files. Effective protection of confidential data is dependent on accurate
classification of that data. Organizations must therefore define a data classification policy and scheme,
as discussed in the first paper in this series. In the case of unstructured information, technology tools
Microsoft Security Development Lifecycle, www.microsoft.com/security/sdl/default.aspx.
6
Microsoft Privacy Guidelines for Developing Software Products and Services,
http://download.microsoft.com/download/0/8/2/082448D8-2AED-45BC-A9A0094840E9E3A2/Microsoft_and%20Privacy_guidelines_for_developers.doc.
7
Microsoft Identity and Access Management series, http://technet.microsoft.com/en-us/library/cc162924.aspx.
9
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
available today can classify files based on their content and location, thus making it easier to protect
them.8

Protecting information through encryption. Supported by strong identity and access controls,
data encryption can help safeguard all types of confidential information stored in databases; saved on
mobile devices, laptops, and desktop computers; and transferred via e-mail and across the Internet.
Use of encryption greatly reduces the risk of a harmful data breach resulting from an intruder break-in
or a lost or stolen computer or mobile device.

Protecting data throughout the information lifecycle. Organizations can apply rights
management technologies to desktop productivity, e-mail, and line-of-business applications to control
how the information is used throughout its lifecycle. 9 They can restrict access to internal documents
and prevent certain users from printing them, forwarding them outside the organization, or copying
and pasting text. Users can also apply document retention policies that cause certain content to
“expire” after a set amount of time and thereafter be accessible only to the document’s creator and
the designated data recovery agents.
Organizations can use data loss/leak prevention (DLP) solutions to identify, monitor, and protect data
throughout the lifecycle using automatic deep content analysis. Core components of these solutions include
centralized management, discovery of defined information, usage monitoring, and protection from policy
violations. DLP solutions can be integrated with rights management technology to persistently protect and
securely share confidential data, based on content and user identity. 10
Auditing and Reporting
To comply with internal policies, government regulations, and consumer demands for better control over
confidential data, organizations can use technologies for systems management and monitoring and for
automation of compliance controls. Such technologies are useful for verifying that system and data access
controls are operating effectively and for identifying suspicious or noncompliant activity. They can also help
ease the systems administration burden and reduce troubleshooting planning. More recently, these tools have
begun to include additional capabilities that help in these areas:
8

Harmonizing compliance requirements across IT processes11

Selecting activities that enable automation of data governance compliance and produce proof of that compliance

Detecting and reporting on misplaced data by performing routine sweeps using automatic file
classification
File Classification Infrastructure, www.microsoft.com/fci.
9
Active Directory Rights Management Services (ADRMS), http://technet.microsoft.com/en-us/library/cc771627.aspx; ADRMS Bulk
Protection Tool for integration with File Classification Infrastructure,
www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f-c175-41d0-afdc-6f160ab809cd#tm.
10
Data loss prevention (DLP), http://technet.microsoft.com/en-us/magazine/2008.11.desktopfiles.aspx?=blog#id0080002,
www.rsa.com/node.aspx?id=3615.
11
Compliance Solution Accelerators, http://technet.microsoft.com/en-us/solutionaccelerators/dd229342.aspx.
10
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
Managing Risk with the Risk/Gap Analysis Matrix
The Risk/Gap Analysis Matrix is the most critical component in the Technology core capability area because it
combines the information lifecycle and the technology domains described above with the data privacy and
confidentiality principles that were discussed in the first paper in the series. 12 It provides a means to evaluate
gaps in the measures that have been taken to protect data against privacy, confidentiality, and compliance
threats and to manage residual risks in the context of a specific data flow.
This focus on identifying gaps in a specific data flow complements the organization’s use of a control
framework or information security management system to define protective measures across the organization
and the IT infrastructure.
The Risk/Gap Analysis Matrix:

Provides a unified view of existing and proposed protection and compliance technologies, measures,
and activities within the information lifecycle

Allows for comparison of those technologies and activities against protection and compliance
requirements, through the use of the four data privacy and confidentiality principles
This concept is depicted in Figure 4.
Figure 4. Risk/Gap Analysis Matrix.
12
“A Guide to Data Governance for Privacy, Confidentiality, and Compliance: Part 1: The Case for Data Governance.”
11
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
The matrix should be used during the risk assessment process that occurs in the Manage DGPC Control
Environment core process,13 to document existing controls that apply in each area and compare them to the
appropriate requirements to find potential gaps. Note that each of the first four columns in the matrix
represents one of the four technology domains, while the rightmost column represents nontechnical control
activities that must take place to meet the requirements of the four principles at each phase of the information
lifecycle. By following the analysis process shown in Figure 5, an organization can determine gaps in existing
DGPC measures and select corrective actions.
Figure 5. Risk/gap analysis process.
13
For more information on risk management, see the “Risk Management” section in the References list at the end of this paper.
12
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
These are the five stages in the process:
1.
Establish a context for analyzing the risks and associated threats the organization faces with this data
flow:
a. Clearly define the business purpose of the data flow.
b. Identify privacy, security, and compliance objectives for the flow. This step should not be too
difficult because the main objectives and requirements should largely be determined by the four
data privacy and confidentiality principles14 in combination with the harmonized set of
requirements obtained as a result of the Manage DGPC Requirements process described in the
second paper in this series.15
2.
Identify the potential threats and related risks associated with the people, processes, and technology
involved throughout the information lifecycle. This can be done through the use of threat modeling
techniques. A good example is the Microsoft SDL Threat Modeling Tool, which can be found at the
Security Development Lifecycle Web site.16 Note, however, that most threat modeling techniques focus
on security threats only. Such tools should be complemented with appropriate techniques to detect
non-security-related privacy threats and threats of noncompliance. We discuss threat modeling further
in the following section.
3.
Analyze the risks involved. The organization probably has already taken some steps to ensure the
security and privacy of the data involved. For instance, some of the controls prescribed by the
organization’s control framework and/or the information security management system might cover
some or all of the needs for this particular flow. To complete this step, organizations must pre-fill the
Risk/Gap Analysis Matrix with information about existing technologies and activities that support the
aforementioned controls. That is:
a.
For each cell in the matrix, determine which current activities and technologies support
compliance with each of the four privacy and confidentiality principles (as shown earlier in
Figure 4). Write those technologies and activities in the corresponding cell.
i. Do existing information protection and compliance measures honor the organization’s policies
for confidential data?
ii. Do existing measures minimize the risk of unauthorized access or misuse of confidential data?
iii. Do existing measures minimize impact in case of a breach or loss of confidential data? Are
appropriate incident response plans in place?
iv. Do existing logging and monitoring procedures accurately document the effectiveness of
current information protection policies and measures?
14
“A Guide to Data Governance for Privacy, Confidentiality, and Compliance: Part 1: The Case for Data Governance,” and later in
this section.
15
“A Guide to Data Governance for Privacy, Confidentiality, and Compliance: Part 2: People and Process.”
16
Microsoft SDL Threat Modeling Tool, www.microsoft.com/security/sdl/getstarted/threatmodeling.aspx.
13
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
b. For each cell in the matrix, determine whether the current technologies and activities are enough
to satisfy each of the four principles. If not, evaluate the residual risk.
i.
What is the exposure, the impact, and the probability that each risk will materialize?
4.
Determine the mitigation measures needed to bring each risk to an acceptable level for the
organization. In the appropriate cells in the matrix, write in the additional technologies and activities
that are necessary to implement the mitigation measures, and evaluate the cost/benefit of each. This
step will conclude when the team decides whether and how each identified risk will be mitigated,
transferred, or assumed.
5.
Evaluate the effectiveness of the measures that have been deployed, and reinitiate the cycle if
unacceptable risks still exist.
Table 1. Mapping the Risk/Gap Analysis Process to the Deming Cycle
Deming Cycle
Risk/Gap Analysis Process
Plan
Steps 1, 2, and 3
Do
Step 4
Check
Step 5
Act
Initiate a new cycle
17
The Deming PDCA Cycle, http://en.wikipedia.org/wiki/PDCA.
The whole process should also be reinitiated
periodically and every time the data flow changes,
to ensure that no new threats and risks have
materialized.
For readers familiar with the Plan-Do-Check-Act
(PDCA) cycle for problem solving—the Deming
cycle17—Table 1 shows a mapping between PDCA
and the phases of the process depicted earlier in
Figure 5.
14
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
Threat Modeling
The term threat modeling has many uses in information and communications.18 In this paper, we use the term
to designate a technique for determining requirements for data privacy, confidentiality, and compliance. Our
objective is to identify potential threats to data privacy and confidentiality, which can then be analyzed and
managed. There are only two steps to take:

Diagramming—creating a graphical representation of the data flow.

Threat enumeration—a systematic analysis of the diagram created in the previous step, to look for
threats to data privacy and confidentiality.
As shown in Figure 6, we have embedded the two threat modeling steps in the second step of the risk/gap
analysis process, “Identify (model) potential threats.”
Diagramming
Threat
Enumeration
Figure 6. Threat modeling in the risk/gap analysis process.
Note that step 1—Establish a context for analysis—establishes an understanding of the overall business and
technical requirements and a context for the data flow that is being analyzed. This is different from step 1 of
18
Shostack, Adam, “Experiences Threat Modeling at Microsoft,” 2008, http://blogs.msdn.com/sdl/archive/2008/10/08/experiencesthreat-modeling-at-microsoft.aspx.
15
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
threat modeling—Diagramming—which creates a detailed graphical representation of the data flow and the
relevant systems.
The term threat in this context is not limited to attackers or technical threats; it can refer to anything that
might violate any of the four data privacy and confidentiality principles. The following sections offer a general
description of the two threat modeling steps.
Diagramming
Multiple techniques can be used for diagramming. Microsoft product teams and our consulting services
organization typically use data flow diagrams (DFDs) with the addition of “trust boundaries.” A trust boundary
is a border that separates business entities and/or IT infrastructure realms, such as networks or administrative
domains. Every time confidential data crosses a trust boundary, basic assumptions about security, policies,
processes, and practices—or all of these combined—might change, and with them the threats that will be
identified in the next step. Note that in the diagramming step, the modeled entities will typically represent
systems rather than individual processes. For a detailed description of the use of DFDs and trust boundaries in
threat modeling, see Microsoft’s IT Infrastructure Threat Modeling Guide.19
Threat Enumeration
Once the diagram is ready and all trust boundaries have been identified, the next step is enumerating potential
threats against privacy and confidentiality using the four data privacy and confidentiality principles and
identifying threats that might affect the integrity of each one. Here are the four principles, each followed by
examples of threat types.20
Principle 1: Honor policies throughout the confidential data lifespan


Choice and consent (collection, use, and disclosure)
o
Inadequate notice of data collection, use, disclosure, and redress policies.
o
Unclear or misleading language or processes for the user to follow in choosing and providing
consent for the collection and use of personal information.
Individual access and correction
o

Accountability
o
19
20
Limited or nonexistent means for users to verify the correctness of their personal information.
Lack of necessary controls to enforce customer choice and consent, as well as other relevant
policies, laws, and regulations, including data classification.
Microsoft’s IT Infrastructure Threat Modeling Guide, http://technet.microsoft.com/en-us/library/dd941826.aspx.
For a more detailed list of technical and nontechnical questions that allow comparison to industry best practices, see the
Application Privacy Assessment questionnaire available in the Guidance section of www.microsoft.com/privacy/datagovernance.
16
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
Principle 2: Minimize risk of unauthorized access or misuse of confidential data


Information protection
o
Lack of reasonable administrative, technical, and physical safeguards to ensure confidentiality,
integrity, and availability of data.
o
Unauthorized or inappropriate access to data.
Data quality
o
Lack of means to verify accuracy, timeliness, and relevance of data.
o
Lack of means for users to make corrections as appropriate.
Principle 3: Minimize impact of confidential data loss

Information protection
o

Insufficient safeguards (i.e., strong encryption) to ensure confidentiality of data if it is lost or
stolen.
Accountability
o
Lack of a data breach response plan and an escalation path.
o
System does not encrypt all confidential data.
o
Adherence to data protection principles cannot be verified through appropriate monitoring,
auditing, and use of controls.
Principle 4: Document applicable controls and demonstrate their effectiveness

Accountability
o

Plans, controls, processes, or system configurations are not properly documented.
Compliance
o
Compliance cannot be verified or demonstrated through existing logs, reports, and controls.
o
Lack of a clear noncompliance escalation path and process.
o
Lack of a breach notification plan. Lack of other response plans that are required by law.
We can use these threat types as a starting point to identify specific threats to the flow. Careful examination of
the flow and the trust boundaries that were identified in the diagramming stage is essential. As noted earlier,
all sorts of assumptions can change when a flow crosses a trust boundary. Looking at the information lifecycle
described earlier in this paper, we can see that trust boundaries typically appear in transitions between phases.
For example, the transition to the transfer phase almost invariably involves crossing a trust boundary. (Is the
information going to a third party? Is there an appropriate contractual relationship with that party? Will the
organization have to encrypt the information while it is in transit?) Other transitions, such as that from
processing to updating, might or might not cross a trust boundary but will still require protective measures. (Is
user choice preserved appropriately when data is updated? Can unauthorized access to the data be identified
through the use of logs?)
17
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
Some of the threat types are present under more than one principle. The reasons for this might be clear in the
case of threats to “Information Protection” and not so clear in the case of threats to “Accountability.” Here is
the explanation of the second case:

The first and fourth data privacy and confidentiality principles use the term accountability in the same
sense as the OECD’s privacy principles21 and the Generally Accepted Privacy Principles22—namely, that
the organization should hold itself accountable for complying with its own data privacy and security
principles, policies, and procedures, and adherence should be verified through appropriate monitoring.

The term takes on a different meaning in the third principle, which emphasizes data security. Here it
refers to the idea expressed by Weitzner et al. in “Information Accountability.”23 The authors of that
technical report point out that information security has traditionally focused on restricting access to
information by unauthorized parties (internal or external), generally keeping data from “escaping the
boundaries” of the organization. They suggest that this approach should be complemented by systems
and protective measures for monitoring appropriate use of data and making sure that individuals or
groups who misuse data are held accountable whenever possible. The report and its proposals
encompass the whole of the Internet, but their suggestions can and should be applied in many cases
to a single organization’s data resources.
The appendix to this paper shows a fully filled-out Risk/Gap Analysis Matrix for a sample data flow. To keep
the example simple and to facilitate understanding of the concepts discussed, we have used a diagram based
on the information lifecycle rather than the DFD diagrams that were suggested earlier in this section.
Organizations are encouraged to build on techniques and methods already in use in their IT department, or to
consider the references provided later in this paper.
21
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Organisation for Economic Co-operation
and Development, www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html.
22
Generally Accepted Privacy Principles, American Institute of Certified Public Accountants (AICPA) and Canadian Institute of
Chartered Accountants (CICA), http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles.
23
“Information Accountability,” Weitzner, Abelson, Berners-Lee, Feigenbaum, Hendler, and Sussman, Massachusetts Institute of
Technology CSAIL Technical Report, June 2007, http://dspace.mit.edu/bitstream/handle/1721.1/37600/MIT-CSAIL-TR-2007034.pdf?sequence=2.
18
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
Conclusion
In this paper, we introduced the Risk/Gap Analysis Matrix, a tool that can be used to complement existing
protective and compliance measures based on the control framework used by the organization, such as COBIT
or an information security management system. The matrix helps identify threats and residual risks in specific
data flows—valuable information that can be used to improve protections and manage risk. The basic building
blocks of the matrix are:

The information lifecycle, which describes the six phases of data during its lifetime and can be used to
understand how data flows through the organization.

The four technology domains, which provide a means to classify the IT products and technologies that
can be used to protect the privacy and security of an organization’s confidential data.

The four data privacy and confidentiality principles, which are detailed by the data governance
organization. These principles guide the organization’s efforts to protect the privacy and security of
confidential data and to meet related compliance obligations.
19
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
Glossary of Terms
accountability In the context of privacy, the principle that an organization should be responsible for complying
with measures that give effect to its privacy principles and policies. In the context of data security, this principle
refers to the implementation of controls, technologies, and processes that enable the organization to make
privacy and security transgressors accountable for their actions.
assertion Statement made by an organization describing a component of the business.
attestation Auditor statement/opinion as to whether an assertion is true.
authority document Any document containing control requirements applicable to an organization, including
but not limited to governance, standards, and contractual requirements.
control activity (CA) Any activity that helps with validation if a control objective (CO) is met and provides
guidance on how to achieve that CO. The validation could be manual assertion/signoff or automated using
various strategies such as checking to see if a policy exists, if configuration complies with policy, if the audit event
stream meets certain requirements, or if a set of properties of some managed entities meets constraints.
control failure The measured failure of a major CO through observation by an auditor, with major
repercussions to the organization.
control objective (CO) A goal statement designed to reduce or eliminate risk or meet one or more
requirements. It is a breakdown, translation, and harmonization of high-level requirements in the authority
documents.
corrective action The action of implementing a remedy to fix a discovered incident or problem affecting control
compliance.
data governance The exercise of authority, control, and shared decision making (planning, monitoring, and
enforcement) over the management of data assets.24
data protection The management of personal information. In the United States, privacy is the term used in
policies, laws, and regulations. However, in the European Union and other countries, the term data protection
often identifies privacy-related laws and regulations.25
data steward A business leader or subject matter expert who is accountable for 1) the identification of
operational and business intelligence data requirements within an assigned subject area, 2) the quality of data
names, business definitions, and domain values within an assigned subject area, 3) compliance with regulatory
requirements and conformance to internal data policies and data standards, 4) application of appropriate security
controls, 5) analyzing and improving data quality, and 6) identifying and resolving data-related issues.
24
25
The DAMA Dictionary of Data Management, 1st Edition, 2008.
IAPP Information Privacy Certification: Glossary of Common Privacy Terminology, International Association of Privacy
Professionals (IAPP), 2006.
20
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
GRC Governance, risk management, and compliance.

Governance ensures that the business focuses on core activities, clarifies who in the organization has
the authority to make decisions, determines accountability for actions and responsibility for outcomes,
and addresses how expected performance will be evaluated. All of this happens within a clearly defined
context that might span a division, the entire organization, or a specific set of cross-discipline functions.

Risk management is a systematic process for identifying, analyzing, evaluating, remedying, and
monitoring risk. As a result of this process, an organization or group might decide to mitigate a risk,
transfer it to another party, or assume the risk along with its potential consequences.

Compliance generally refers to actions that ensure behavior that complies with established rules as well
as the provision of tools to verify that compliance. It encompasses compliance with laws as well the
enterprise’s own policies, which in turn can be based on best practices. Compliance requirements are not
static, and compliance efforts should not be either.
personal data Any and all data that relates to an identifiable individual.26
personal information Any information that 1) relates to an individual and 2) identifies or can be used to
identify the individual. Such information may include an individual’s name, postal address, e-mail address,
telephone number, Social Security number, or other unique identifier.
personally identifiable information (PII) Any information that can be traced to a particular individual.
Usually a set of identifiable information is identified through an identification block of data, such as a name,
mailing address, phone number, Social Security number, or e-mail address. Personal user preferences tracked by
a Web site via a cookie are also considered personally identifiable when linked to other personally identifiable
information provided by a user online.
privacy The appropriate use of personal information under the circumstances. What is appropriate will depend
on context, law, and the individual’s expectations. Privacy also refers to the right of an individual to control the
collection, use, and disclosure of personal information.
risk management Managing a situation or project so that minimum loss or damage will result if the risk
materializes.27
sensitive personal information/sensitive data The 1998 EU Directive distinguishes between ordinary
personal data, such as name, address, and telephone number, and sensitive personal data, such as racial or
ethnic origin, political opinions, religious beliefs, trade union membership, health, sex life, and criminal
convictions. Under the act, the processing of sensitive data is subject to stricter conditions.26
threat modeling As used in this series of whitepapers, a technique for analysis and determination of threats
against security, privacy, and compliance.
26
Ibid.
27
The DAMA Dictionary of Data Management, 1st Edition, 2008.
21
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
Appendix: Example Risk/Gap Analysis Matrix
Scenario: A mid-level marketing company acquires sales lead information from a data provider on a biweekly
schedule. The dataset contains Name, Address, Phone, Employment, Salary, and Social Security number (SSN)
and is intended for distribution to the sales force. The sales force accesses this information through a third
party, a Customer Relationship Management system that hosts both the data and the application on its own
servers. Salespeople use the information to call potential customers and try to sell the company’s products.
The company has adopted the following data security and privacy principles:
1.
Honor policies throughout the lifespan of the data.
a.
b.
c.
Collect/use only the information that is needed for a specific business purpose.
Distribute customer data only to employees who need it for business purposes related to their job.
Strive to ensure data integrity, confidentiality, and availability at all times.
2.
Minimize risk of data misuse.
3.
Minimize impact of data loss.
4.
Demonstrate effectiveness of the protection controls.
A simple model of the information lifecycle for this flow is shown in Figure 7. The DGPC team for this company
identifies the controls for each technology domain as well as the manual controls required to address the
threats and risks to their data security and privacy principles. The results are documented in the Risk/Gap
Analysis Matrix shown after the figure. Gaps are highlighted in bold red text.
The matrix reveals that most of the weaknesses are in the Information Protection, Auditing and Reporting, and
Manual Controls domains. The company does not have encryption capabilities and lacks adequate audit
alerting and reporting capabilities. Further, the root causes of the gaps appear to be related to a lack of
manual or process-related controls.
Figure 7. Real-world information lifecycle scenario.
22
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
DGPC Risk/Gap Analysis Matrix
Information
Secure
Identity & Access
Information
Auditing &
Manual
Lifecycle
Infrastructure
Control
Protection
Reporting
Controls
Collect
Purchase
sales lead
data from
third party.
Download to
staging file.
 Ensure that data
is correctly
classified and
appropriately
tagged
(sensitivity and
compliance,
appropriate
uses).
 Restrict access to
download process
and staging file to
authorized
personnel.
 Use SSL
 Encrypt
staging file.
 Log download or
creation of file; send
alert to sales and
marketing leads.
 Create alerts for
access to process
outside appropriate
context (time, day,
geographic
location); log
access to file and
process.
 Ensure that
third-party
contracts are
in place and
current.
 Monitor
collection
process.
 Create summary
report of access,
use, and
modification of
batch scripts and
file.
Update
Reconcile
new dataset
with existing
Do Not Call
list. (Remove
records
based on
DNC list.)
Eliminate
unnecessary
data fields.
 Secure staging
environment
against malware;
ensure that apps
are patched.
 Restrict access to
reconciliation jobs to
authorized
personnel.
 Encrypt
reconciled
staging file.
 Log status of job run;
send result to
sales/marketing leads.
 Delete data
that is not
required for
business
purposes.
 Create alerts for
access to process
outside of appropriate
context (time, day,
geographic location);
log access to file and
process.
 Eliminate
unnecessary
information
(i.e., do not
include birth
date if all we
need to know
is whether
customer is
over 18).
 Create summary
report of access,
use, and
modification of
batch scripts and
file.
 Document
procedures to
manage
reconciliation
process.
 Document
roles and
responsibilities
to manage
reconciliation
process.
 Monitor
reconciliation
process.
23
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
Information
Secure
Identity & Access
Information
Auditing &
Manual
Lifecycle
Infrastructure
Control
Protection
Reporting
Controls
 Secure
environment
against malware;
ensure that apps
are patched.
 Base access to
CRM database on
user role.
 Secure
communication
channel.
 Log status of Data
Manipulation
Language (DML) batch
job and integrity
checks; report to
sales/marketing leads.
 Define
policies and
use standard
procedures
for data
manipulation.
 Create alerts for
access to process
outside of appropriate
context (time, day,
geographic location);
log access to file and
process.
 Periodically
review and
update
policies for
data
manipulation.
Process
Manipulate
data fields to
align with
Customer
Relationship
Management
(CRM)
system
database
structure, for
upload.
 Run integrity
checks.
 Create summary
report of access,
use, and
modification of
batch scripts and
file.
Delete
Delete the
staging file
upon
completion
of CRM
upload.
 Securely wipe
deleted file;
follow data
retention
policies.
 Restrict
authorization of file
deletion to
authorized
personnel.
 Securely
wipe
deleted file;
follow data
retention
policies.
 Log status of deletion
and report to leads.
Create appropriate
alerts for access to
deletion process
outside appropriate
context.
 Create summary
report matching
each execution of
deletion process to
corresponding
download file;
highlight
discrepancies.
 Monitor data
manipulation
processes.
 Define data
retention
policies and
use standard
deletion
procedures.
 Periodically
review and
update
policies for
data
retention.
 Monitor
deletion
process.
24
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
Information
Secure
Identity & Access
Information
Auditing &
Manual
Lifecycle
Infrastructure
Control
Protection
Reporting
Controls
 Restrict access to
run data transfer job
to authorized
personnel.
 Secure
(encrypt) data
feed to
receiving
system.
Transfer
Transfer data
 Third-party
to a third party
secure
that hosts the
infrastructure
organization’s
requirements are
CRM
specified
application.
contractually
Third party
will provide
selected data
to the
organization’s
sales force
based on
individual
sales
performance.
 Restrict receipt of
data to
authenticated and
authorized
personnel/ systems.
 Perform
integrity
checks on file
transfers.
 Require use of
disk volume
encryption on
sales force
laptops.
 Require use
of disk
volume
encryption
in the thirdparty
provider’s
servers
containing
customer
information.
 Log status of data
feed job and integrity
checks; report to
leads.
 Log status of data
feed job and integrity
checks; send alerts to
marketing personnel.
 Create summary
report matching
each transfer to
corresponding date
and download file;
clearly highlight
discrepancies.
 Third-party CRM
provider to produce
regular report on
individual
salesperson’s
access to and
download of
customer data.
 Define
transfer
policies and
use standard
transfer
procedures.
 Periodically
review and
update
policies for
data
transfers.
 Establish clear
contractual
relationship
and service
level
agreement
with thirdparty CRM
provider;
periodically
review and
update.
 Monitor
transfer
process.
Storage
See Collect,
Update,
Process, and
Delete.
 Secure staging
server; update
patches and virus
signatures.
 Secure CRM
database server;
update patches
and virus
signatures.
 Update patches
and virus
signatures in
sales force
laptops.
 Store identity
credentials and
entitlements in a
secure database.
 Encrypt
staging file.
 Keep maintenance log
of staging server.
 Encrypt PII
on CRM
database.
 Keep maintenance log
of CRM database
server.
 Run data
loss
protection
tools and
take
appropriate
action.
 Keep maintenance log
of sales force laptops.
 Define secure
storage
requirements
and
implement
them in the
supporting
infrastructure.
 Periodically
review and
update secure
storage
requirements.
25
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
References
Active Directory Rights Management Services: http://technet.microsoft.com/en-us/library/cc771627.aspx
Active Directory Rights Management Services Bulk Protection Tool for integration with File
Classification Infrastructure:
www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=f9fbe58f-c175-41d0-afdc6f160ab809cd#tm
BitLocker Drive Encryption: http://technet.microsoft.com/en-us/library/dd548341(WS.10).aspx
Compliance Solution Accelerators: http://technet.microsoft.com/en-us/solutionaccelerators/dd229342.aspx
The DAMA Dictionary of Data Management, 1st Edition, 2008,
www.dama.org/i4a/pages/index.cfm?pageid=3345
DataLossDB: http://datalossdb.org
Data loss prevention (DLP): http://technet.microsoft.com/enus/magazine/2008.11.desktopfiles.aspx?=blog#id0080002, www.rsa.com/node.aspx?id=3615
Deming PDCA Cycle: http://en.wikipedia.org/wiki/PDCA
File Classification Infrastructure: www.microsoft.com/fci
Generally Accepted Privacy Principles, American Institute of Certified Public Accountants (AICPA)
and Canadian Institute of Chartered Accountants (CICA),
http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles
IAPP Information Privacy Certification: Glossary of Common Privacy Terminology, International
Association of Privacy Professionals (IAPP), 2006,
https://www.privacyassociation.org/images/uploads/CIPP%20Privacy%20Glossary_0909.pdf
“Information Accountability,” Weitzner, Abelson, Berners-Lee, Feigenbaum, Hendler, and
Sussman, Massachusetts Institute of Technology CSAIL Technical Report, June 2007,
http://dspace.mit.edu/bitstream/handle/1721.1/37600/MIT-CSAIL-TR-2007-034.pdf?sequence=2
Microsoft Forefront TechCenter: http://technet.microsoft.com/en-us/forefront/default.aspx
Microsoft Identity and Access Management series: http://technet.microsoft.com/enus/library/cc162924.aspx
Microsoft Privacy Guidelines for Developing Software Products and Services:
http://download.microsoft.com/download/0/8/2/082448D8-2AED-45BC-A9A0094840E9E3A2/Microsoft_and%20Privacy_guidelines_for_developers.doc
Microsoft Security Development Lifecycle: www.microsoft.com/security/sdl/default.aspx
26
A Guide to Data Governance for Privacy, Confidentiality, and Compliance
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data,
Organisation for Economic Co-operation and Development,
www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html
Risk management:

Information Risk Analysis Methodology (IRAM),
https://www.securityforum.org/services/publictools/publiciram

Risk Management Guide for Information Technology Systems, National Institute of Standards and
Technology, U.S. Department of Commerce, http://csrc.nist.gov/publications/nistpubs/800-30/sp80030.pdf

Standard AS/NZS 4360:2004,
http://infostore.saiglobal.com/store/Details.aspx?docn=AS0733759041AT
Threat modeling:

“Experiences Threat Modeling at Microsoft,” A. Shostack, Microsoft, 2008,
www.homeport.org/~adam/modsec08/Shostack-ModSec08-Experiences-Threat-Modeling-AtMicrosoft.pdf

Microsoft’s IT Infrastructure Threat Modeling Guide, http://technet.microsoft.com/enus/library/dd941826.aspx

Open Web Application Security Project (OWASP), www.owasp.org/index.php/Threat_Risk_Modeling