This virtual Working Session is the second of its kind for the Data Governance and Management (DGM) Profile, a resource under development to support the use of select NIST Frameworks together to address organizational data governance priorities. NIST’s Privacy Engineering Program (PEP) is hosting this event to receive input on the planned Profile.
The purpose of the Working Session is to:
- Gather feedback on the scope, approach, and roadmap for the Profile
- Prioritize data governance and management activities and examine their relationship to privacy and cybersecurity risk management
- Hear from a range of organizations about their DGM-related priorities and whether a phased approach of leveraging the Privacy Framework (PF) and Cybersecurity Framework (CSF) to start—with a mapping of the Artificial Intelligence Risk Management Framework (AI RMF) to be added after the expected release of a new version—could support them in creating, assessing, or improving their data governance postures
- Identify existing resources, standards, and efforts relevant to DGM
The Working Session will build on stakeholder feedback received at a previous “Ready, Set, Update! Privacy Framework 1.1 + DGM Profile" Workshop, Working Session 1, and other channels. Prior attendance at a DGM event is not required to attend Working Session 2. The NIST team looks forward to hearing your thoughts on these topics. Register now!
For more information, visit the NIST Privacy Framework’s DGM Profile webpage.
Agenda
| Welcome & Agenda |
| Housekeeping |
| Introductions and Opening Remarks |
| Privacy Framework 1.1 Update |
| DGM Profile Background |
| Exercise 1 |
| 10-minute break |
| Exercise 2 |
| Discussion and Closing Remarks |
Additional Information
At Working Session 2, attendees will be generally asked to engage by:
- Providing input on prioritizing critical data governance and management objectives, activities, and mappings that range of organizations can use with respect to their relationship to privacy and cybersecurity risk management.
- Sharing feedback on the plan, scope, and roadmap for the DGM Profile.
- Suggesting significant research, guidelines, or standards that address or influence an organization’s data governance and management posture.
To dive into each of the three aforementioned areas, the following are examples of “priming questions” or subtopics designed only to stimulate thinking. Attendees do not have to answer these formally before, during, or after the Working Session.
- Providing input on prioritizing critical data governance and management objectives, activities, and mappings that organizations can use with respect to their relationship to privacy and cybersecurity risk management.
- What are the most significant privacy and security risks for an organization looking to build, evaluate, or strengthen its data governance and management posture?
- What are the most significant catalysts or enablers, technical and non-technical, from an organization’s privacy and security risk management program to adopt more effective data governance and management?
- For organizations that have adopted AI or are becoming increasingly AI-ready: what significant impact have those efforts had on the enterprise approach to privacy and security risk management? To data governance and management?
- In what organizational contexts is data quality most crucial? If an organization suffers from what it feels is “bad” data, what actions, processes, and capabilities can it pursue in: rules, requirements, specifications, inconsistency, inaccuracy, tampering, validation, sources of truth, data rot, cleaning, transforming, aggregating, etc.?
- In what organizational contexts is data stewardship most crucial? If an organization does not have the business culture or privacy, security, or DGM practices required for its needs, what actions, processes, and capabilities can it pursue in: organizational attitudes, rules of behavior, knowledge management, awareness, IT trustworthiness, policies, compliance, etc.?
- In what organizational contexts is data accountability most crucial? If an organization does not have the accountability it desires, what actions, processes, and capabilities can it pursue in: privacy, security, and data governance and management, organizational roles, transparency, data literacy and expertise, the data/information life cycle, storage, backup, incident response, disaster recovery, decommissioning/deletion, etc.?
- In what organizational contexts is data value most crucial? If an organization is not using its data appropriately and adequately to achieve its goals, what actions, processes, and capabilities can it pursue in: new product and service design and deployment, data sources, usage requests, approvals, monitoring, data analysis/analytics, combining or aggregating data, controls, fair information practice principles, e.g., purpose specification and use limitation, etc.
- Sharing feedback on the plan, scope, and roadmap for the DGM Profile.
- Is the Profile’s planned approach of mapping example data governance and management activities to the NIST Privacy Framework, Cybersecurity Framework to start, followed by an update to the AI Risk Management Framework, clear and compelling?
- For organizations preparing AI-specific governance programs, what specific parts of the planned Profile would be most useful?
- Suggesting significant research, guidelines, or standards that address or influence an organization’s data governance and management posture.
- Do organizations generally find that there are consistently used terms, taxonomies, or standards for DGM that support their business goals?
- To what extent have NIST’s voluntary guidelines, resources, and publications in related domains helped address or influence organizations’ DGM postures, including but not limited to, the Privacy Framework, Cybersecurity Framework, AI Risk Management Framework, National Cybersecurity Center of Excellence (NCCoE) Data Classification Practices, etc.?
- What standards and resources do organizations use the most to support their current business goals related to DGM, including but not limited to International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 38505-1 and other ISO/IEC standards relating to information security management and privacy?
NOTIONAL DATA GOVERNANCE AND MANAGEMENT ACTIVITIES
Data Governance and Stewardship
- Establishing policies, processes, and procedures for data governance and management
- Establishing and enhancing an organizational governance structure
- Establishing risk management practices for each stage of the data life cycle
- Assigning roles and responsibilities for data governance and management
- Establishing and maintaining a training and awareness program for data governance and management
- Defining enterprise data requirements
- Identifying needs for and sources of data
- Establishing values and standards for data quality
- Coordinating with functions that play a role in appropriately managing business records
- Facilitating and managing data sharing and collaboration within and outside the organization
- Incorporating stakeholder needs
- Identifying data by domain and within systems
Data Lifecycle Management
- Implementing flexible data architectures and systems to meet current and future needs
- Managing data and data platforms
- Integrating data from multiple sources into data systems
- Implementing data storage, backup, and continuity solutions
- Managing metadata, data provenance, and data lineage
- Conducting data analytics, including AI/ML, for data-driven decision making
- Implementing data disposition requirements
