search

Policies that cover data management should cover transitions throughout the data life cycle.

1 Jahrs vor
Kommentare: 0
Ansichten: 184

Policies that cover data management should cover transitions throughout the data life cycle.

Show

The primary goal of information security is to protect the fundamental data that powers our systems and applications. As companies transition to cloud computing, the traditional methods of securing data are challenged by cloud-based architectures. You don’t have to lift and shift existing problems. Moving to the cloud creates a field of opportunity to reexamine how you manage information and find ways to improve things. In this blog, we’ll discuss information governance and the Data Security Lifecycle as they relate to cloud computing, and provide recommendations that you can take with you on your cloud migration journey.

What is Data/Information Governance?

Data/information governance means ensuring that the use of data and information complies with organizational policies, standards, and strategy. This includes regulatory, contractual, and business requirements and objectives. Note that data is different from information, but the terms can be used interchangeably. Information is data with value.

Data Security Lifecycle vs Information Lifecycle Management

Information Lifecycle Management is a tool to help understand the security boundaries and controls around data from its creation through retirement. Although Information Lifecycle Management is a fairly mature field, it doesn’t map well to the needs of security professionals.

The Data Security Lifecycle is different from Information Lifecycle Management in that it reflects the different needs of the security audience. It includes six phases from creation to destruction. Once created, data can bounce in between phases without restriction, and may not pass through all stages (not all data is eventually destroyed).

  1. Creation is the generation of new digital content, or the alteration of existing content.
  2. Storing is the act of committing the digital data to some sort of storage repository and typically occurs nearly simultaneously with creation.
  3. Data is viewed, processed, or used in some sort of activity, not including modification.
  4. Information is made accessible to others, such as in between users, to customers, and to partners.
  5. Data leaves active use and enters long-term storage.
  6. Data is permanently destroyed using physical or digital means.

Locating Data in the Lifecycle

Due to regulatory, contractual, and jurisdictional issues, it’s important to understand the logical and physical locations of data.

The lifecycle represents the phases information passes through but doesn’t address its location or how it’s accessed. Data is accessed and stored in multiple locations, each with its own lifecycle. The data security lifecycle is not a single, linear operation, but a series of smaller lifecycles running in different operating environments. At nearly any phase, data can move into, out of, and between these environments.

Users know where data lives and how it moves, but how is it accessed? Data is accessed using a variety of different devices that have different security characteristics and may use different applications or clients.

The Functions Performed With Data

There are three functions that can be performed with data, by a given actor and a particular situation:

  • View/read the data, including creating, copying, file transfers, dissemination, and other exchanges of information.
  • Process a transaction on the data, update it, or use it in a business processing transaction.
  • Store and hold the data in a file, database, etc.

Recommendations

Here are some of our key recommendations for information governance:

  • Ensure information governance policies and practices extend to the cloud. This will be done through contractual and security controls.
  • Use the data security lifecycle to help model data handling and controls.
  • Instead of lifting and shifting existing information architectures, use your cloud migration as an opportunity to re-think and restructure what is often the fractured approach used in existing infrastructure.

To learn more about information governance, check out Domain 5 of the Security Guidance for Critical Areas of Focus in Cloud Computing v4.0. This document also covers best practices in 13 other cloud security domains.

You can learn more about the Data Security Lifecycle in this free sample of the CCSK online course.

Policies that cover data management should cover transitions throughout the data life cycle.

About

The Technical Data Management process provides a framework to acquire, manage, maintain and ensure access to the technical data and computer software required to manage and support a system throughout the acquisition life cycle (see Systems Engineering (SE) Guide, Section 5.24 System Security Engineering for information regarding protection of critical program information).

Key Technical Data Management considerations include understanding and protecting Government intellectual property and data rights, achieving competition goals, maximizing options for product support and enabling performance of downstream life-cycle functions. DoDI 5000.85, 3D.2.b.(5)(k) IP and 3D.3.c.(5) IP Strategy contains IP and IP Strategy policy for Major Capability Acquisition programs.

Acquiring the necessary data and data rights, in accordance with Military Standard (MIL-STD)-31000, for acquisition, upgrades, and management of technical data provide:

  • Information necessary to understand and evaluate system designs throughout the life cycle.
  • Ability to operate and sustain weapon systems under a variety of changing technical, operational, and programmatic environments.
  • Ability to re-compete item acquisition, upgrades, and sustainment activities in the interest of achieving cost savings; the lack of technical data and/or data rights often makes it difficult or impossible to award contracts to anyone other than the original manufacturer, thereby taking away much or all of the Government’s ability to reduce total ownership costs (TOC).

Technical Data Management Activities and Products

The Program Manager (PM), Systems Engineer, and Lead Software Engineer, in conjunction with the Product Support Manager, should ensure that life-cycle requirements for weapon system-related data products and data rights are identified early and appropriate contract provisions are put in place to enable deliveries of these products. SE Guidebook Figure 4-12 below shows the activities associated with Technical Data Management.

Policies that cover data management should cover transitions throughout the data life cycle.

SE Guidebook Figure 4-12: Data Management Activities

Identify Data Requirements

  • Formulate the program’s Intellectual Property (IP) Strategy and technical data management approach, with an emphasis on technical and product data needed to provide support throughout the acquisition life cycle. (See DAG CH 1–4.2.18. and forthcoming PM guidebooks for more information about Data Rights).
  • Consider all opportunities to leverage the system model and WBS structure to capture data rights assertions as the system architecture is being developed and throughout the system life cycle.
  • Ensure that data requirements are documented in the IP Strategy; summarized in the Acquisition Strategy (AS) and presented with the Life-Cycle Sustainment Plan (LCSP) during the Operations and Support Phase; and submitted before award of the contract for the next life-cycle phase.
  • Special attention needs to be given to acquire or access data and digital artifacts within the digital ecosystem throughout the program’s life cycle, including identifying formats that can be made compatible with Government data systems (program office, T&E, models and simulations, sustainment, etc.).
  • Based on the technical baseline, identify assemblies, subassemblies, and parts that are candidates for Government ownership of data rights. Include this information in AoAs, trade studies and as input to RFPs.
  • Consider not only the immediate, short-term costs of acquiring the needed technical data and data rights but also the long-term cost savings resulting from the ability to compete production and logistics support activities and reduce TOC. Understand that the Government can possess either Government Purpose or Unlimited Rights to use many types of technical data and data rights, at no additional cost, based on the type of technical data and the source of funding used to generate the data (see DoD Open Systems Architecture Contract Guidebook for Program Managers for more information about data rights).
  • Consider any requirements to acquire rights to production and sustainment tooling and facilities, including processes required to use this equipment. Where the government has acquired rights to specific parts, these rights do not necessarily also convey rights to the equipment or processes used to produce the parts.

Acquire Data

  • Use explicit contract Statement of Work (SOW) tasks to require the developer to perform the work that generates the required data. The content, format and quality requirements should be specified in the contract.
  • Use current, approved Data Item Descriptions (DID) and Contract Data Requirements Lists (CDRL) in each contract to order the delivery of the required technical data and computer software.
  • Consider obtaining data through an open business model with emphasis on having open, modular system architectures that can be supported through multiple competitive alternatives. The model may include modular open systems approaches as a part of the design methodology supported by an IP strategy, which may be implemented over the life cycle of a product. (See SE Guidebook, Section 2.2.5 Module Open Systems Approach).

Receive, Verify and Accept Data

  • Ensure verification of content, format, and quality of all required product-related data received from originators.
  • Inspect contractually ordered data deliverables to ensure markings are in accordance with the relevant data rights agreements and DFARS clauses and contain appropriate distribution statements and/or export control statements.

Caution: Acceptance of delivered data not marked consistent with the contract can result in the Government "losing" legitimate rights to technical data and can incur significant legal liability on the Government and the individual Government employees. Regaining those rights generally requires costly and time-consuming legal actions.

Store, Maintain and Control Data

  • Budget for and fund the maintenance and upkeep of product data throughout the life cycle.
  • An Integrated Data Environment (IDE) or Product Life-cycle Management (PLM) system allows every activity involved with the program to create, store, access, manipulate and exchange digital data.
  • To the greatest extent practical, programs should use existing IDE/PLM infrastructure such as repositories operated by Commodity Commands and other organizations. (Program-unique IDEs are discouraged because of the high infrastructure cost; furthermore, multiple IDEs inhibit access, sharing and reuse of data across programs.)
  • Ensure all changes to the data are made in a timely manner and are documented in the program IDE or PLM system.

Use and Exchange Data

Plan for and establish methods for access and reuse of product data by all personnel and organizations that perform life-cycle support activities. In support of the Government’s requirement for a Technical Data Package (TDP), the PM should also consider all product-related data (e.g., technical manuals, repair instructions and design/analysis data) to:

  • Allow logistics support activities.
  • Better enable sustainment engineering.
  • Apply, implement, and manage product upgrades.

Contractually deliverable data should be identified and ordered at the specific "data product" level, (e.g., two-dimensional drawings, three-dimensional Computer-Aided Design (CAD) models, technical manuals, etc.). SE Guidebook, Figure 4-13 below provides a notional representation of different types of product-related data.

Caution: PMs, Systems Engineers and Lead Systems Engineers should be aware that terms such as "technical data," "product data," and "TDP" are imprecise, not equivalent, and often incorrectly used interchangeably.

Resources for establishing and conducting Technical Data Management activities include but are not limited to:

  • DoD 5010.12-M, Procedures for the Acquisition and Management of Technical Data
  • Change 1, Implementation Guidance for Army Directive 2018-26 (Enabling Modernization through Management of Intellectual Property), 17 Dec 20
  • Army Regulation 25-1 Army Information Technology
  • Army Pamphlet 25-1-1 Army Information Technology Implementation Instructions
  • Air Force Data Rights Guidebook, 2019
  • Air Force Product Data Acquisition (PDAQ) guidance (following link requires an Air Force portal account)
  • Air Force Technical Data and Computer Software Rights Handbook
  • Navy Technical Manual SL150-AA-PRO-010/DMP - Data Management Program
  • MIL-HDBK-245 (Preparation of Statement of Work (SOW))
  • MIL-STD-963 (Data Item Descriptions)
  • MIL-STD-31000 (Technical Data Packages)

Policies that cover data management should cover transitions throughout the data life cycle.

Data Protection

The Program Manager is responsible for protecting system data, whether the data is stored and managed by the Government or by contractors. The DoD policy with regard to data protection, marking, and release can be found in:

  • DoDD 5230.25, Withholding of Unclassified Technical Data from Public Disclosure
  • DoDI 5230.24, Distribution Statements on Technical Documents
  • DoDM 5400.07, DoD Freedom of Information Act (FOIA) Program
  • DoDI 5200.01, DoD Information Security Program and Protection of Sensitive Compartmented Information (SCI)
  • DoDI 5000.83, Technology and Program Protection to Maintain Technological Advantage
  • DoDI 5200.39, Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E)

Data containing information subject to restrictions are protected in accordance with the appropriate guidance, contract, or agreement. Guidance on distribution statements, restrictive markings and restrictions on use, release or disclosure of data can be found in the DFARS (Subpart 252.227-7013 and 7014), and DoDI 5230.24.

When digital data are used, the data should display applicable restriction markings, legends and distribution statements clearly and visibly when the data are first opened or accessed. These safeguards not only ensure Government compliance regarding the use of data but also guarantee and safeguard contractor data delivered to the Government and extend responsibilities of data handling and use to parties who subsequently use the data.

P.L. 107-347 (SEC 208 para (b)) and DoDI 5400.16, "DoD Privacy Impact Assessment (PIA) Guidance" requires that PIA be conducted before developing or purchasing any DoD information system that collects, maintains, uses or disseminates personally identifiable information about members of the public, federal personnel, DoD contractors and, in some cases, foreign nationals. Available PIA guidance provides procedures for completing and approving PIAs.

All data deliverables should include distribution statements. Processes should be established to protect all data that contain critical technology information, as well as ensure that limited distribution data, intellectual property data or proprietary data are properly handled throughout the life cycle, whether the data are in hard-copy or digital format.

Products and Tasks

ProductTasks
18-1-1: Verify technical data acquisition, access, management and protection policies and procedures
  1. Assess the technical data needs required for the program.
  2. Identify policies and procedures for information technology and technical data applicable to the system / program.
  3. Develop statement of work tasks to generate technical data to be acquired for a system, and submit to the decision maker for inclusion in contract documentation.
  4. Identify data item descriptions (DIDs) and contract data requirements lists (CDRLs) to acquire technical data for the system from the developer, and submit to the decision maker for inclusions in contract documentation.
  5. Document technical data needs, SOW tasks and technical data deliverables, along with associated technical data management processes, and incorporate into the intellectual property (IP) strategy.
  6. Receive, verify, and accept contractually ordered technical data.
  7. Verify contractually ordered technical data is stored, maintained, and has access controlled in accordance with the configuration management plan and the IP strategy.

Source: AWQI eWorkbook

Resources

Key terms

Intellectual Property (IP)
Intellectual Property (IP) Strategy

Statutes, Regulations, Guidance

  • DoDI 5000.85, 3D.2.b.(5)(k) IP and 3D.3.c.(5) IP Strategy
  • DoDI 5010.44, Intellectual Property (IP) Acquisition and Licensing
  • Systems Engineering (SE) Guidebook, Section 4.1.7 Technical Data Management Process
  • MIL-STD-31000, Technical Data Packages
  • DoDI 5010.44, Intellectual Property (IP) Acquisition and Licensing, 16 Oct 19
  • DoD Open Systems Architecture Contract Guidebook for Program Managers, v1.1, June 2013

DD, Engineering Digital Engineering page

Digital Engineering

DAU Training Courses

  • ETM 1040 Technical Management Foundations, Module 7
  • CLE 068: Intellectual Property and Data Rights
  • CLE 084: Models, Simulations, and Digital Engineering
  • CLM 002: Intellectual Property (IP) Valuation
  • CLM 071: Introduction to Intellectual Property Strategy
  • CLM 072: Intellectual Property (IP) Strategy Development
  • CLM 073: Data Management Planning
  • CLM 075: Data Acquisition
  • CLM 076: Data Marking
  • CLM 077: Data Management Protection and Storage
  • LOG 2150 Technical Data Management

ACQuipedia Articles

Media

  • Striking the Balance - Price and Data Rights
  • Digital Readiness: Data and the World: State of Practice
  • Digital Readiness: The World of Data
  • Adaptive Acquisition Framework: DoDI 5010.44 Intellectual Property Acquisition and Licensing

Communities of Practice

  • Data Management
  • Intellectual Property (IP) & Data Rights

What is the correct order of change control procedures regarding changes to systems and networks?

What is the correct order of steps in the change control process? The sequence of events during the change control process is request, impact assessment, approval, build/test, implement, and monitor.

What is not one of the three tenets of information security?

Explanation: While safety is a critical concern, it is not one of the three tenets of information security, which are confidentiality, integrity and availability.

When should an organization's managers have an opportunity to respond to the findings in an audit?

When should an organization's managers have an opportunity to respond to the findings in an audit? Managers should include their responses to the draft audit report in the final audit report.

What is the first step in information security quizlet?

the initial step in establishing an information security program is the: development and implementation of an information security standards manual.

policies cover data management cover transitions data life cycle

zusammenhängende Posts

Which of the following is the department that maintains policies plans and procedures for the effective management of employees?
Which of the following is the department that maintains policies plans and procedures for the effective management of employees?

What is the waiting period on a waiver of premium rider in life insurance policies Quizlet
What is the waiting period on a waiver of premium rider in life insurance policies Quizlet

Are methods policies and organizational procedures that ensure the safety of the organizations assets?
Are methods policies and organizational procedures that ensure the safety of the organizations assets?

Which of the following refers to policies procedures and technical measures used to prevent unauthorized access?
Which of the following refers to policies procedures and technical measures used to prevent unauthorized access?

The following are all reasons for using ethnocentric policies in staffing subsidiaries EXCEPT
The following are all reasons for using ethnocentric policies in staffing subsidiaries EXCEPT

12. which one of the following best reflected the policies advocated in the above excerpt? *
12. which one of the following best reflected the policies advocated in the above excerpt? *

What are some different office policies that a medical Assistant would need to explain to a patient
What are some different office policies that a medical Assistant would need to explain to a patient

Which of the following pricing policies does not extract the entire consumer surplus from the market
Which of the following pricing policies does not extract the entire consumer surplus from the market

What major policies did the government use to promote the assimilation of Native Americans?
What major policies did the government use to promote the assimilation of Native Americans?

A common, basic condition for most flextime policies is the requirement that employees must
A common, basic condition for most flextime policies is the requirement that employees must

Werbung

NEUESTEN NACHRICHTEN

Wie bekommt man einen Knutschfleck schnell wieder weg?
1 Jahrs vor . durch MaterialReinstatement
Warum kann ich meine Homepage nicht öffnen?
1 Jahrs vor . durch InexhaustibleConflict
Abrechnung mastercard wer ist zuständig
1 Jahrs vor . durch OldVicinity
Which of the following describe Accenture people choose every correct answer
1 Jahrs vor . durch WillingRecurrence
Mobiles Datennetzwerk konnte nicht aktiviert werden Ausland
1 Jahrs vor . durch SubversiveAdage
Wer stirbt in Staffel 8 Folge 24 Greys Anatomy?
1 Jahrs vor . durch PretrialLicence
Wie lange braucht leber um sich vom alkohol zu erholen
1 Jahrs vor . durch ElectromagneticSubcommittee
Is a planned activity at a special event that is conducted for the benefit of an audience.
1 Jahrs vor . durch SleepingEspionage
Welche Spiele kann man mit PC und PS4 zusammen spielen?
1 Jahrs vor . durch PromiscuousOutage
Was tun wenn baby erstickt
1 Jahrs vor . durch FreezingElectricity

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial

homeendejahikoptzhth
Urheberrechte © © 2024 de.ketajaman Inc.