Category Archives: Data Governance
If you follow me on LinkedIn than you already know that there is no place I would rather be than in front of a client – virtually or in person. There is simply nothing that energizes me more than gathering the insights from client advocates. With this said, it will be no surprise that Informatica World makes me giddy; like a kid in a candy store – over 1500 clients telling their stories and sharing valuable lessons learned.
For healthcare alone, over a dozen payer and provider organizations have volunteered to share their use cases, their stories and their lessons learned. The array of brands represented is second to none; i.e. Kaiser, UPMC, Cleveland Clinic and Humana.
Beyond sessions, clients ask for more opportunities to network with peers and get hands on with the next releases of products and we listen!
- Healthcare cocktail reception Tuesday evening
- Healthcare Industry breakfast Thursday morning
- Hands on Labs with industry specific content
- Partner technology showcase
A complete list of healthcare sessions + a few you hot topic sessions is below. I look forward to seeing you in Las Vegas next week!
- PII – Personally Identifiable Information – any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII
- GSA’s Rules of Behavior for Handling Personally Identifiable Information – This directive provides GSA’s policy on how to properly handle PII and the consequences and corrective actions that will be taken if a breach occurs
- PHI – Protected Health Information – any information about health status, provision of health care, or payment for health care that can be lined to a specific individual
- HIPAA Privacy Rule – The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
- Encryption – a method of protecting data by scrambling it into an unreadable form. It is a systematic encoding process which is only reversible with the right key.
- Tokenization – a method of replacing sensitive data with non-sensitive placeholder tokens. These tokens are swapped with data stored in relational databases and files.
- Data masking – a process that scrambles data, either an entire database or a subset. Unlike encryption, masking is not reversible; unlike tokenization, masked data is useful for limited purposes. There are several types of data masking:
- Static data masking (SDM) masks data in advance of using it. Non production databases masked NOT in real-time.
- Dynamic data masking (DDM) masks production data in real time
- Data Redaction – masks unstructured content (PDF, Word, Excel)
Each of the three methods for protecting data (encryption, tokenization and data masking) have different benefits and work to solve different security issues . We’ll address them in a bit. For a visual representation of the three methods – please see the table below:
For protecting PHI data – encryption is superior to tokenization. You encrypt different portions of personal healthcare data under different encryption keys. Only those with the requisite keys can see the data. This form of encryption requires advanced application support to manage the different data sets to be viewed or updated by different audiences. The key management service must be very scalable to handle even a modest community of users. Record management is particularly complicated. Encryption works better than tokenization for PHI – but it does not scale well.
Properly deployed, encryption is a perfectly suitable tool for protecting PII. It can be set up to protect archived data or data residing on file systems without modification to business processes.
- To protect the data, you must install encryption and key management services to protect the data – this only protects the data from access that circumvents applications
- You can add application layer encryption to protect data in use
- This requires changing applications and databases to support the additional protection
- You will pay the cost of modification and the performance of the application will be impacted
For tokenization of PHI – there are many pieces of data which must be bundled up in different ways for many different audiences. Using the tokenized data requires it to be de-tokenized (which usually includes a decryption process). This introduces an overhead to the process. A person’s medical history is a combination of medical attributes, doctor visits, outsourced visits. It is an entangled set of personal, financial, and medical data. Different groups need access to different subsets. Each audience needs a different slice of the data – but must not see the rest of it. You need to issue a different token for each and every audience. You will need a very sophisticated token management and tracking system to divide up the data, issuing and tracking different tokens for each audience.
Masking can scramble individual data columns in different ways so that the masked data looks like the original (retaining its format and data type) but it is no longer sensitive data. Masking is effective for maintaining aggregate values across an entire database, enabling preservation of sum and average values within a data set, while changing all the individual data elements. Masking plus encryption provide a powerful combination for distribution and sharing of medical information
Traditionally, data masking has been viewed as a technique for solving a test data problem. The December 2014 Gartner Magic Quadrant Report on Data Masking Technology extends the scope of data masking to more broadly include data de-identification in production, non-production, and analytic use cases. The challenge is to do this while retaining business value in the information for consumption and use.
Masked data should be realistic and quasi-real. It should satisfy the same business rules as real data. It is very common to use masked data in test and development environments as the data looks like “real” data, but doesn’t contain any sensitive information.
What you need to know
The FREAK vulnerability allows an attacker with a privileged position on a network (e.g. “man-in-the-middle attacker”) to compromise the SSL/TLS handshake between the client and server. The attack forces the server to use a weak, export-grade cipher even if the client specifies a stronger cipher. Weak ciphers are more vulnerable to attack and brute-force decryption. Due to a bug in affected SSL/TLS libraries, the client accepts the export grade cipher and puts the encrypted transmission at risk of disclosure.
For more information about the FREAK vulnerability, see Matt Green’s post, who coordinated the widespread disclosure: http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html
What you need to do
The following Informatica products now have updated SSL/TLS libraries available, to address this vulnerability:
- Big Data Edition
- Data Explorer
- Data Quality
- Data Replication
- Data Services
- Native Adapters
- PowerCenter Express
- PowerExchange Mainframe and Changed-Data Capture
Because SSL/TLS vulnerabilities also affect underlying OSes (including Microsoft Windows and various Linux variants), we also recommend reviewing your OS patch levels and apply fixes as necessary.
If the number of critical vulnerabilities disclosed since late 2014 has reinforced anything it’s that teams need repeatable, efficient processes to evaluate and apply patches and product updates. This was also a point I made in my 2015 RSA Conference presentation, on building effective Information Security programs: being able to track “time to close critical vulnerabilities” is a great metric to help improve your teams’ security efficacy.
Bill Burns, VP & Chief Information Security Officer
The Informatica Government Summit is tomorrow and we couldn’t be more excited! Our great speaker lineup includes experts from Bloomberg, FCC, USPS, MeriTalk, the Department of Defense and more! We have more than a half dozen breakout sessions with public sector industry experts and Informatica customers and partners. If you’re going to be there, we want you to tell the world all about it! To inspire attendees to share their experience at the conference, we created a Twitter contest!
To participate in the #INFAgov15 Twitter contest – it’s as easy as 1, 2, 3! Just follow these steps below:
- Be a registered attendee of the Informatica Government Summit 2015 .
Informatica employees and event sponsors are ineligible
- Tweet relevant content about the conference from a personal Twitter account between Thursday, April 23 at 12:00AM (EDT) and Thursday, April 23 at 11:59pm (EDT)
- Include the text “INFA contest” and #INFAgov15 hashtag in each participating tweet
Example Tweet: Really enjoyed the “Citizen-Ready Data: Unlock the Power of Data” breakout session! #INFagov15 INFA contest
The contestant who sends the highest number of relevant, unique tweets from a personal (not corporate) account during this time frame will win one free Informatica University course – up to $3,200 value!
Your choice of class and offering type:
- Seat in Instructor-led scheduled classroom or Virtual Academy Event
- OnDemand Plus course subscription (eLearning course + hands-on labs).
See full contest terms and conditions below.
INFAgov15 Contest Terms and Conditions
NO PURCHASE OR PAYMENT OF ANY MONEY IS NECESSARY TO ENTER OR WIN. A PURCHASE DOES NOT INCREASE THE CHANCES OF WINNING. VOID WHERE PROHIBITED.
SPONSOR: The Sponsor of the contest is Informatica Corporation: 2100 Seaport Blvd., California, 94063, United States.
ELIGIBILITY: The INFAgov Contest is open only to anyone who has registered to attend Informatica Government Summit 2015 and who is at least 18 years old at the time of entry. Employees of Sponsor and immediate family members of Sponsor’s employees are not eligible to participate in the contest. The contest is subject to all applicable federal, state and local laws and regulations.
CONTEST PERIOD: The contest begins at 12:00 AM United States Eastern Daylight Time (“EDT”) on April 23, 2015, and ends at 11:59 PM EDT on April 23, 2015 (the “Contest Period”).
HOW TO ENTER: The contest may be entered by a registered attendee of Informatica Government Summit 2015 submitting one or more unique tweets about Informatica Government Summit 2015 during the Contest Period. Each tweet must include “INFA Contest” and “#INFAgov15” to be an eligible entry to the contest.
CONTEST REQUIREMENTS: To be eligible for a potential prize as part of the contest, participant must submit one or more entries that fulfill all contest requirements, which includes these terms and conditions. Entries that are not complete or do not adhere to these terms and conditions or specifications may be disqualified at the sole discretion of Sponsor. You may enter the contest more than one by submitting multiple distinct tweets (retweets will not be counted). If you use fraudulent methods or otherwise attempt to circumvent these terms and conditions, all of your entries may be removed from eligibility at the sole discretion of Sponsor.
SUBMISSION GUIDELINES: Your entry may not contain, as determined by the Sponsor, in its sole discretion, any content that:
• Is sexually explicit or suggestive; violent or derogatory of any ethnic, racial, gender, religious, professional or age group; profane or pornographic; contains nudity or inappropriate dress of any kind, including wearing of swimwear or undergarments.
• Promotes alcohol, illegal drugs, tobacco, firearms/weapons (or the use of any of the foregoing); promotes any activities that may appear unsafe or dangerous.
• Is obscene or offensive; endorses any form of hate or hate group.
• Defames, misrepresents or contains disparaging remarks about the Sponsor, or its products or any other people, products, brands or companies.
• Contains content created by anyone other than you, unless you have valid written permission to use the content in the manner used.
• Advertises or promotes any brand or product of any kind.
• Contains any personal identification, such as street or email addresses, or phone numbers.
• Violates or encourages the violation of any law, rule or regulation.
• Contains materials embodying the names, likenesses or other indicia identifying any person without the person’s valid written permission to use the name, likeness or indicia in the manner used.
• Promotes any particular political party, agenda or message; and/or communicates messages or images inconsistent with the positive image and/or goodwill to with which the Sponsor wishes to associate the contest.
PRIZE: One (1) winner will receive a free training award, which provides the winner with the opportunity to receive one (1) free Informatica University course having a value of up to $3,200. The winner may choose from one of the following class and offering types offered by Sponsor: (a) a seat in an instructor led scheduled classroom or Virtual Academy Event designated by Sponsor or (b) an on Demand Plus course (eLearning course + hands-on labs) designated by Sponsor. All prize values are specified in United States Dollars. You are not guaranteed to win a prize and your chance of winning is dependent on the number of eligible entries received. No prize substitution is permitted except at Sponsor’s sole discretion. Any and all prize related expenses, including without limitation any and all federal, state, and local taxes shall be the sole responsibility of the winner. No substitution of prize or transfer/assignment of prize to others by any winner is permitted. Acceptance of prize constitutes permission for Sponsor to use winner’s name, likeness, and entry for purposes of advertising, social media, publication and trade without further compensation, unless prohibited by law.
ODDS: The odds of winning depend on the number of eligible entries received. The participant who submits the highest number of unique and eligible tweets will win the designated prize.
JUDGING CRITERIA AND NOTIFICATION: The winner will be the participant who submitted the highest number of eligible tweets. In the event of a tie between multiple entries for the highest number of distinct tweet submissions received, the winner will be selected by random drawing. Winner will be announced on April 30, 2015, via Sponsor’s Twitter account @infaps. The winner must contact Sponsor at email@example.com with the subject line, “INFAgov Contest Winner,” within 15 days from the time the award notification was published on Twitter. If the winner fails contact Sponsor within the timeframe specified or fails to return a completed and executed declaration and release as required, the prize will be forfeited and an alternate winner selected. The receipt by winner of the prize offered in this contest is conditioned upon compliance with any and all federal and state laws and regulations and these terms and conditions. ANY VIOLATION OF THESE TERMS AND CONDITIONS BY ANY WINNER WILL RESULT IN SUCH WINNER’S DISQUALIFICATION AS WINNER OF THE CONTEST AND ALL PRIVILEGES AS WINNER WILL BE IMMEDIATELY TERMINATED.
RIGHTS GRANTED BY YOU: By submitting an entry to the contest, you agree to abide by these terms and conditions and any decision Sponsor makes regarding the contest (including awarding of any prize), which Sponsor shall make in its sole discretion. Sponsor reserves the right to disqualify and prosecute to the fullest extent permitted by law any participant or winner who, in Sponsor’s reasonable suspicion, tampers the entry or contest process, violates these terms and conditions, or acts in an unsportsmanlike or disruptive manner. By submitting an entry for this promotion, you also agree to receive marketing communications from Sponsor and its affiliates. You also irrevocably grant to Sponsor, its licensees, agents, successors and assigns, to the extent permissible by law, the unconditional and perpetual right and license to post, display, broadcast, publish, use, adapt, edit, translate, dub, and/or modify all or a part of your entry, your name and address (city and state/province/territory), and the names, likenesses, photographs, voices, statements and images of all persons appearing in the entry anywhere in the world, for future advertising, trade, promotion, publicity or any other purpose, in any manner and in any medium now known or hereafter devised, without compensation and without notice to you, and/or review or approval from you, without limitation; you will not now nor in the future be paid or receive any other compensation for your entry or for granting the Sponsor any of the rights and/or licenses set out in these Rules; and any waiver of any obligation hereunder by Sponsor does not constitute a general waiver of any obligation to entrants. Winner may be required to sign an affidavit of eligibility, liability release and a publicity release, and other forms as a condition to receiving the prize.
TERMS: Sponsor reserves the right, in its sole discretion to cancel, terminate, modify or suspend the contest should (in its sole discretion) a virus, bugs, non-authorized human intervention, fraud or other causes beyond its control corrupt or affect the administration, security, fairness or proper conduct of the contest. In such case, Sponsor may select the recipients from all eligible entries received prior to and/or after (if appropriate) the action taken by Sponsor. Sponsor reserves the right at its sole discretion to disqualify any individual who tampers or attempts to tamper with the entry process, the operation of the contest, website or violates these Terms & Conditions. Sponsor reserves the right, in its sole discretion, to maintain the integrity of the contest, to void votes for any reason, including, but not limited to: multiple entries from the same user from different IP addresses, multiple entries from the same computer in excess of that allowed by contest rules, or the use of bots, macros or scripts or other technical means for entering.
Any attempt by an entrant to deliberately damage any web site or undermine the legitimate operation of the contest may be a violation of criminal and civil laws. Should such an attempt be made, Sponsor reserves the right to seek damages from any such person to the fullest extent permitted by law.
LIMITATION OF LIABILITY: SPONSOR AND SPONSOR’S AGENTS AND CONTRACTORS MAKE NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, REGARDING ANY PRIZE OR YOUR PARTICIPATION IN THE CONTEST. BY PARTICIPATING IN THE SWEEPSTAKES OR RECEIPT OF ANY PRIZE, EACH PARTICIPANT AGREES TO RELEASE AND HOLD HARMLESS SPONSOR AND ITS SUBSIDIARIES, AFFILIATES, SUPPLIERS, DISTRIBUTORS, ADVERTISING/PROMOTION AGENCIES, AND PRIZE SUPPLIERS, AND EACH OF THEIR RESPECTIVE PARENT COMPANIES AND EACH SUCH COMPANY’S OFFICERS, DIRECTORS, EMPLOYEES AND AGENTS (COLLECTIVELY, THE “RELEASED PARTIES”) FROM AND AGAINST ANY CLAIM OR CAUSE OF ACTION, INCLUDING, BUT NOT LIMITED TO, PERSONAL INJURY, DEATH, OR DAMAGE TO OR LOSS OF PROPERTY, ARISING OUT OF PARTICIPATION IN THE CONTEST OR RECEIPT OR USE OR MISUSE OF ANY PRIZE. THE RELEASED PARTIES ARE NOT RESPONSIBLE FOR: (1) ANY INCORRECT OR INACCURATE INFORMATION, WHETHER CAUSED BY PARTICIPANTS, PRINTING ERRORS OR BY ANY OF THE EQUIPMENT OR PROGRAMMING ASSOCIATED WITH OR UTILIZED IN THE CONTEST; (2) TECHNICAL FAILURES OF ANY KIND, INCLUDING, BUT NOT LIMITED TO MALFUNCTIONS, INTERRUPTIONS, OR DISCONNECTIONS IN PHONE LINES OR NETWORK HARDWARE OR SOFTWARE; (3) UNAUTHORIZED HUMAN INTERVENTION IN ANY PART OF THE CONTEST; (4) TECHNICAL OR HUMAN ERROR WHICH MAY OCCUR IN THE ADMINISTRATION OF THE CONTEST; OR (5) ANY INJURY OR DAMAGE TO PERSONS OR PROPERTY WHICH MAY BE CAUSED, DIRECTLY OR INDIRECTLY, IN WHOLE OR IN PART, FROM PARTICIPANT’S PARTICIPATION IN THE CONTEST OR RECEIPT OR USE OR MISUSE OF ANY PRIZE. If for any reason a participant’s entry is confirmed to have been erroneously deleted, lost, or otherwise destroyed or corrupted, participant’s sole remedy is to re-submit or submit another entry in the contest, provided that if it is not possible to award another entry due to discontinuance of the contest, or any part of it, for any reason, Sponsor, at its discretion, may elect to hold a random drawing from among all participants up to the date of discontinuance for any or all of the prizes offered herein. No more than the stated number of prizes will be awarded. Sponsor reserves the right to cancel, amend or suspend the contest at any time, with or without prior notice, including if the contest encounters any unexpected problems.
GOVERNING LAW AND DISPUTES: THESE OFFICIAL RULES AND THE PROMOTION ARE GOVERNED BY, AND WILL BE CONSTRUED IN ACCORDANCE WITH, THE LAWS OF THE STATE OF CALIFORNIA AND THE UNITED STATES AND THE FORUM AND VENUE FOR ANY DISPUTE ARISING OUT OF OR RELATING TO THESE OFFICIAL RULES SHALL BE IN THE COUNTY OF SAN MATEO COUNTY, CALIFORNIA. IF THE CONTROVERSY OR CLAIM IS NOT OTHERWISE RESOLVED THROUGH DIRECT DISCUSSIONS OR MEDIATION, IT SHALL THEN BE RESOLVED BY FINAL AND BINDING ARBITRATION ADMINISTERED BY JUDICIAL ARBITRATION AND MEDIATION SERVICES, INC., IN ACCORDANCE WITH ITS STREAMLINED ARBITRATION RULES AND PROCEDURES OR SUBSEQUENT VERSIONS THEREOF (“JAMS RULES”). THE JAMS RULES FOR SELECTION OF AN ARBITRATOR SHALL BE FOLLOWED, EXCEPT THAT THE ARBITRATOR SHALL BE EXPERIENCED AND LICENSED TO PRACTICE LAW IN CALIFORNIA. ANY SUCH CONTROVERSY OR CLAIM WILL BE ARBITRATED ON AN INDIVIDUAL BASIS, AND WILL NOT BE CONSOLIDATED IN ANY ARBITRATION WITH ANY CLAIM OR CONTROVERSY OF ANY OTHER PARTY. ALL PROCEEDINGS BROUGHT PURSUANT TO THIS PARAGRAPH WILL BE CONDUCTED IN THE COUNTY OF SAN MATEO, CALIFORNIA, UNITED STATES. THE REMEDY FOR ANY CLAIM SHALL BE LIMITED TO ACTUAL DAMAGES, AND IN NO EVENT SHALL ANY PARTY BE ENTITLED TO RECOVER PUNITIVE, EXEMPLARY, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING ATTORNEY’S FEES OR OTHER SUCH RELATED COSTS OF BRINGING A CLAIM, OR TO RESCIND THIS AGREEMENT OR SEEK INJUNCTIVE OR ANY OTHER EQUITABLE RELIEF.
DISCLAIMER: This promotion is in no way sponsored, endorsed or administered by, or associated with Facebook, Twitter, Youtube, Pinterest, LinkedIn, Google or Instagram.
How can analytics transform the world of accounting?
As I have shared elsewhere within this series, businesses are increasingly using analytics to improve their internal and external facing business processes and to strengthen their “right to win” within the markets that they operate. To do this, many firms start with their enabling business capabilities. Clearly, “analytics can help transform just about any part of a business or organization. Many organizations start where they make money—in customer relationships” (Analytics at Work, Harvard Business Review Press, page 9).
The world of accounting is no different. However, in Grant Thornton’s case, it has determined that better customer data can actually help it improve its business capabilities system related to both back office and front office processes. For purposes of this discussion, “a capability is the ability to reliably and consistently deliver a distinctive outcome relevant to the business” (The Essential Advantage, Harvard Business Review Press, Page 14).
Relating Client profitability to quality of work performed
In terms of improving its back office processes, Grant Thornton wants to get a better understanding of client profitability as well as the quality of work that is actually being performed for each of its clients. These two measures are of course related over the longer haul. As Theodore Levitt indicated in Marketing Myopia, “the purpose of a business is to create and keep a customer”. And client profitability and life time value of a customer on a longer term basis is related to quality of work performed. To improve both, Grant Thornton is creating and providing access to a number of business critical metrics around staffing, quality of delivery, and profit versus cost of each customer engagement.
Accounting for the total customer relationship
At the same time, Grant Thornton has determined that they need to use their customer data in order to get to know their customers better. At Informatica, we like to call this the total customer relationship. Just like other service based businesses, Grant Thornton wants to improve its ability to cross sell and upsell. For example, if I am doing audit work, can I also do tax or other business services. To make this reality, they need like just about every other business a single view of customer.
Accounting from the numbers not gut feel
To make both of these a reality, Grant Thornton has started by getting its critical information out of its applications and into an operational data store—a database designed to integrate data from multiple sources. They are using a mix of traditional ETL tools and new cloud delivered solutions to pull data out of cloud based systems like Microsoft Dynamics. This is giving them truly a hybrid data collection environment. With all of their data in hand, they then have taken their data and stuck it into a data warehouse for reporting. From here they have an initiative to build analytical dashboards for business leaders and customers alike. Their goal is to move decision making from gut feel to data. According to Tom Davenport, “our research suggests that 40 percent of major decisions are based not on facts but on a managers gut”. (Analytics at Work, Harvard Business Review Press, page 1).
As I have discussed, firms are starting to use analytics to better manage their core business capabilities. For this reason, analytics are more and more foundational to a business’s right to win. Clearly, the ability to use analytics to keep existing customers by measuring and improving service quality and increase the degree of cross sell is core to Grant Thornton’s ability to retain and grow its existing business.
Download: Grant Thornton Case Study
Author Twitter: @MylesSuer
One of THE biggest challenges in companies today is complexity. To be more specific, unnecessary complexity resulting from silo behaviors and piece-meal point solutions. Businesses today are already extremely complex with the challenges of multiple products, multiple channels, global scale, higher customer expectations, and rapid and constant change, so we certainly don’t want to make the IT solutions more complex than they need to be. That said, I’m on the side of NO we don’t need a CSO as this blog recently surveyed its readers. We just need a business architecture practice that does what it’s supposed to. (more…)
Data and Information becoming a key corporate asset
According to Barbara Wixom at MIT CISR, “In a digital economy, data and the information it produces is one of a company’s most important assets”. (“Recognizing data as an enterprise asset”, Barbara Wixom, MIT CISR, 3 March 2015). Barbara goes onto suggest that businesses increasingly “need to take an enterprise view of data. They should understand and govern data as a corporate asset, even when data management remains distributed”.
CIOs are not the enterprise data steward
Given that data is a corporate asset, you might expect this would be an area for the CIO’s leadership. However, I heard differently when I recently met with two different groups of CIOs. Regardless of whether the CIOs were public sector or private sector, they told me that they did not want to be the owner of enterprise data. One CIO succinctly put it this way, “we are not data stewards. Governance has to be done by the business—IT is merely the custodians of their data”. These CIOs claim that the reason that the business must own business data and must determine how that data should be managed is because only the business understands the business context around the data.
Given this, the CIOs that I talked to said that IT should not manage data but “should make sure that what the business needs done gets done with data”. CIOs, therefore, own the processes and technology for ensuring data is secured and available when and where the business needs it. Debbie Lew from ISACA put it this way, “IT does not own the data. IT facilitates data”.
So if the management of data is distributed what is the role of the CIO in being a good data custodian?
COBIT 5 provides some concrete suggestions that are worth taking a look at. According to COBIT, IT should make sure information and data owners are established and that they are able to make decisions about data definition, data classification, data security and control, and data integrity. Additionally, IT needs to ensure that the information system provides the “knowledge required to support all staff in their work activities.”
IT must create facilities so knowledge can be used
This means IT organizations need to create facilities so that knowledge can be used, shared and updated. Part of doing this task well involves ensuring the reliable availability of useful information. This should involve keeping the ratio of erroneous or unavailable information to a minimum. Measuring performance here requires looking at the percent of reports that are not delivered on time and the percent of reports containing inaccuracies. These obviously need to be kept to a minimum. Clearly, this function is enabled by backup systems, applications, data and documentation. These should be worked according to a defined schedule that meets business requirements.
To establish a level of data accuracy, that is acceptable to business users, starts by building and maintaining an enterprise data dictionary that includes details about the data definition, data ownership, appropriate data security, and data retention and destruction requirements. This involves identifying the data outputs from the source and mapping data storage, location, retrieval and recoverability. It needs to ensure from a design perspective, appropriate redundancy, recovery and backup are built into the enterprise data architecture.
IT must enable compliance and security
COBIT 5 stresses the importance of data and information compliance and security. Information needs to be “properly secured, stored, transmitted or destroyed.” This starts with effective security and controls over information systems. To do this, procedures need to be defined and implemented to ensure the integrity and consistency of information stored in databases, data warehouses and data archives. All users need to be uniquely identifiable and have access rights in accordance with their business role. And for business compliance, all business transactions need to be retained for governance and compliance reasons. According to COBIT 5, IT organizations are chartered to ensuring the following four elements are established:
- Clear information ownership
- Timely, correct information
- Clear enterprise architecture and efficiency
- Compliance and security
There needs to be a common set of information requirements
But how are these objectives achieved? Effective information governance requires that the business and IT have a strong working relationship. It, also, requires that information requirements are established. Getting timely and correct information often starts by improving how data is managed. Instead of manually moving data or creating layer over layer of spaghetti code integration, enterprises need to standardize a data architecture that creates a single integration layer among all data sources.
This integration layer increasingly needs to support new sources of data too and be able to do so at the speed of business. Business users want trustworthy data. An expert on data integration “maintains that at least 20 percent of all raw data is incorrect. Inaccurate data leads data users to question the information their systems provide.” The data system needs to automatically and proactively fix data issues like addresses, missing data and data format problems. And once this has been accomplished, it needs to go after redundancies in customers and transactions. With multiple IT-managed transaction systems, it is easy to misstate both customers and customer transactions. It is also possible to miss potential business opportunities. All of these are required to get accurate data.
Data needs to be systematically protection
Additionally, data need to be systematically protected. This means that user access to data needs to be managed systematically across all IT-managed systems. Typical data integrations move data between applications without protecting the source data systems’ rules. A data security issue at any point in the IT system can expose all data. At the same time, enterprises need to control exactly what data are moved in test environments and product environments. Enterprises must also ensure that a common set of security governance rules are established and maintained across the entire enterprise, including data being exchanged with partners, employees and contractors using data outside of the enterprise firewall.
Clearly, COBIT 5 suggests that CIOs cannot completely divorce themselves from data governance. Yes, CIOs are data custodians but there are clear and specific tasks that the CIO and their staff must uniquely take on. Otherwise, a good foundation for data governance cannot be established.
Data Governance, the art of being Regulation Ready is about a lot of things, but one thing is clear. It’s NOT just about the technology. You ever been in one of those meetings, probably more than a few, where committees and virtual teams discuss the latest corporate initiatives? You know, those meetings where you want to dip your face in lava and run into the ocean? Because at the end of the meeting, everyone goes back to their day jobs and nothing changes.
Now comes a new law or regulation from the governing body du jour. There are common threads to each and every regulation related to data. Laws like HIPAA even had entire sections dedicated to the types of filing cabinets required in the office to protect healthcare data. And the same is true of regulations like BCBS 239, CCAR reporting and Solvency II. The laws ask; what are you reporting, how did you get that data, where has it been, what does this data mean and who has touched it. Virtually all of the regulations dealing with data have those elements.
So it behooves an organization to be Regulation Ready. This means those committees and virtual teams need to be driving cultural and process change. It’s not just about the technology; it’s as much about people and processes. Every role in the organization, from the developer to the business executive should embed the concepts of data governance in their daily work. From the time a developer or architect builds a new system, they need to document and define everything and every piece of data. It reminds me of days writing code and remembering to comment each code block. And the business executive likewise is sharing business rules and definition from the top so they can be integrated into the systems that eventually have to report on it.
Finally, the processes that support a data governance program are augmented by the technology. It may seem to suffice, that systems are documented in spreadsheets and documents, but those are more and more error prone and in the end not reliable in audit.
Informatica is the market leader in data management infrastructure to be Regulation Ready. This means, everything, from data movement and quality to definitions and security. Because at the end of the day, once you have the people culturally integrated, and the processes supporting the data workload, a centralized, high performance and feature rich technology needs to be in place to complete the trifecta. Informatica is pleased to offer the industry this leading technology as part of a comprehensive data governance foundation.
Informatica will be sharing this vision at the upcoming Annual FIMA 2015 Conference in Boston from March 30 to April 1. Come and visit Informatica at FIMA 2015 in Booth #3.
I recently got to talk to several senior IT leaders about their views on information governance and analytics. Participating were a telecom company, a government transportation entity, a consulting company, and a major retailer. Each shared openly in what was a free flow of ideas.
The CEO and Corporate Culture is critical to driving a fact based culture
I started this discussion by sharing the COBIT Information Life Cycle. Everyone agreed that the starting point for information governance needs to be business strategy and business processes. However, this caused an extremely interesting discussion about enterprise analytics readiness. Most said that they are in the midst of leading the proverbial horse to water—in this case the horse is the business. The CIO in the group said that he personally is all about the data and making factual decisions. But his business is not really there yet. I asked everyone at this point about the importance of culture and the CEO. Everyone agreed that the CEO is incredibly important in driving a fact based culture. Apparent, people like the new CEO of Target are in the vanguard and not the mainstream yet.
KPIs need to be business drivers
The above CIO said that too many of his managers are operationally, day-to-day focused and don’t understand the value of analytics or of predictive analytics. This CIO said that he needs to teach the business to think analytically and to understand how analytics can help drive the business as well as how to use Key Performance Indicators (KPIs). The enterprise architect in the group shared at this point that he had previously worked for a major healthcare organization. When organization was asked to determine a list of KPIs, they came back 168 KPIs. Obviously, this could not work so he explained to the business that an effective KPI must be a “driver of performance”. He stressed to the healthcare organization’s leadership the importance of having less KPIs and of having those that get produced being around business capabilities and performance drivers.
IT needs increasingly to understand their customers business models
I shared at this point that I visited a major Italian bank a few years ago. The key leadership had high definition displays that would roll by an analytic every five minutes. Everyone laughed at the absurdity of having so many KPIs. But with this said, everyone felt that they needed to get business buy in because only the business can derive the value from acting upon the data. According to this group of IT leaders, this causing them more and more to understand their customer’s business models.
Others said that they were trying to create an omni-channel view of customers. The retailer wanted to get more predictive. While Theodore Levitt said the job of marketing is to create and keep a customer. This retailer is focused on keeping and bringing back more often the customer. They want to give customers offers that use customer data that to increase sales. Much like what I described recently was happening at 58.com, eBay, and Facebook.
Most say they have limited governance maturity
We talked about where people are in their governance maturity. Even though, I wanted to gloss over this topic, the group wanted to spend time here and compare notes between each other. Most said that they were at stage 2 or 3 in in a five stage governance maturity process. One CIO said, gee does anyone ever at level 5. Like analytics, governance was being pushed forward by IT rather than the business. Nevertheless, everyone said that they are working to get data stewards defined for each business function. At this point, I asked about the elements that COBIT 5 suggests go into good governance. I shared that it should include the following four elements: 1) clear information ownership; 2) timely, correct information; 3) clear enterprise architecture and efficiency; and 4) compliance and security. Everyone felt the definition was fine but wanted specifics with each element. I referred them and you to my recent article in COBIT Focus.
CIO says they are the custodians of data only
At this point, one of the CIOs said something incredibly insightful. We are not data stewards. This has to be done by the business—IT is the custodians of the data. More specifically, we should not manage data but we should make sure what the business needs done gets done with data. Everyone agreed with this point and even reused the term, data custodians several times during the next few minutes. Debbie Lew of COBIT said just last week the same thing. According to her, “IT does not own the data. They facilitate the data”. From here, the discussion moved to security and data privacy. The retailer in the group was extremely concerned about privacy and felt that they needed masking and other data level technologies to ensure a breach minimally impacts their customers. At this point, another IT leader in the group said that it is the job of IT leadership to make sure the business does the right things in security and compliance. I shared here that one my CIO friends had said that “the CIOs at the retailers with breaches weren’t stupid—it is just hard to sell the business impact”. The CIO in the group said, we need to do risk assessments—also a big thing for COBIT 5–that get the business to say we have to invest to protect. “It is IT’s job to adequately explain the business risk”.
Is mobility a driver of better governance and analytics?
Several shared towards the end of the evening that mobility is an increasing impetus for better information governance and analytics. Mobility is driving business users and business customers to demand better information and thereby, better governance of information. Many said that a starting point for providing better information is data mastering. These attendees felt as well that data governance involves helping the business determine its relevant business capabilities and business processes. It seems that these should come naturally, but once again, IT for these organizations seems to be pushing the business across the finish line.
Blogs and Articles: