The six knows
Data governance at UQ is framed around the ‘six knows’. The six knows are based on the original ‘five knows of cyber security’ and focus on how data should be protected to effectively manage any risks.
The six knows at UQ are:
Quality
Do you know if your data is of suitable quality to support decisions?
Aspects to consider include:
-
Is the data complete and accurate?
-
What will let you know that things are going well or poorly? (e.g. feedback mechanisms)
-
How do you know that people are following the right policies and procedures?
-
Do you require compliance audits?
-
Are you using standard terminology / have you developed logic on the naming convention?
Value
Do you know the value and risks associated with the data? For example, what is the risk of the data leaking?
All UQ employees are responsible for understanding Information Security Classifications, using data in accordance with its Information Security Classification, and assigning classifications to newly created data.
Further aspects to consider include:
-
If your data is used by others, have you made it clear to users how to understand and interpret your data?
-
Using metrics to continuously monitor and evaluate.
Access
Do you know who has access to your data?
Aspects to consider include:
-
Do you know who is currently accessing your data? (e.g. it may be fed into downstream applications, or used by PBI portal, Data Services, etc).
-
Do people have access to data they shouldn’t?
Location
Do you know where your data is?
All UQ employees are responsible for ensuring data is stored in an appropriate, secure place approved by the University.
Further aspects to consider include:
-
Knowing whether your data is saved in one location or across multiple systems.
-
Do you understand the access and security around these locations?
-
What happens if you need to retire your data?
Security
Do you know who is protecting your data?
All UQ employees are responsible for aligning with UQ’s security, confidentiality and privacy requirements.
Further aspects to consider include:
-
Who is protecting your data? While ITS can protect the actual copy of the data, Information Stewards are responsible for protecting access to the data (access control).
-
Do you know the processes, procedures and automated methods in place to ensure the security of the data?
Protection
Do you know how well your data is protected?
Aspects to consider include:
-
Ensuring data is classified appropriately. Security controls are applied commensurate with the Information Security Classification.
-
Undertaking security assessments to determine: do people have access to data they shouldn’t? Is the data that is supposed to be protected, appropriately protected?