Data governance capability considerations for boards - a framework

Preparedness

• Is the current state known, visible and documented?
  
• Is there an inventory of critical assets (including data/systems/infrastructure)?
  
• Do metrics exist and are they being monitored?
  
• What is being communicated?

• Is there a plan or strategy for assets?
  
• Are there policies covering establishment, procurement, implementation and
  acceptable use?
  
• Are there risk assessments? 
  
• What is being communicated?

• Is there a plan or strategy for business continuity in the absence of assets?

• Are incident response plans in place and accessible?

• What concludes an incident?
• How are learnings captured and communicated?
• How are impacts measured?
• What changes need to be made?

• What skills are needed?
• Are specialist roles or responsibilities needed?
• Are staff aware of risks?

• Do plans identify who is accountable? 
• Do plans identify training needs or skills gaps? 
• Are plans communicated internally and externally?

• Who are the relevant contacts? 
• Are people educated or trained? 
• What scenarios are considered?

• Are roles and contacts for incidents identified and contactable?
  
• Are backup plans in place for relief?
  
• Are internal and external communication plans in place?
  
• Are rosters needed?

• How is internal and external people’s recovery assessed?
• What additional help is needed?
• How do people know ‘we’re back to normal’?
• How is feedback captured?

• How do new risks and threats get identified?
• How do new risks get assessed?

• Do possible impacts form part of an overall business approach?

• Are processes rehearsed?

• Are escalation and notification requirements known/accessible and documented?

• Are learnings documented to feed into continuous improvement?

• What is the technology portfolio? 
• What monitoring exists?

• Are relevant documents, systems and procedures easily locatable and accessible?
• Are there backups?
• Are systems designed to ‘privacy by design’ and ‘zero trust’?

• Have backups been tested?
• Are regular tests conducted?
• Do systems have automatic notifications on exceedences?

• Is mobility available (hardware and networks) if another or ‘on location’ response is needed?

• Do learnings feed into improvements?

• What does the board need to know and do?
• What does senior management need to know and do?
• When do things need to be escalated from one to the other?

• Are roles and accountabilities clear and measured?
  
• Are insurances available or needed?

• Are insurance covers understood fully?
• Are board and management roles defined for BAU and incident scenarios?

• Are claims filed promptly?
• Are communication lines and roles to internal stakeholders executed?
• Have legislated notifications been issued (data breach, market announcements)?

• Are learnings valued as an asset?
• Are identified necessary changes implemented and monitored to execution?

• What is the contract and supply chain landscape? 
• Is there concentrated reliance on single providers or countries?

• Are roles between suppliers and the organisation clear?
• Are service levels defined and monitored?

• Do escalation clauses/responsibility matrices exist?
• Are out of hours support/response capabilities known?
• Are financial impacts known for out of hours support?

• Are direct lines and methods of communication and coordination in place?
• Can responders be co-located if needed?

• Do contracts and service arrangements require amendment or clarification?