Information technology (IT) is a core function that contributes to, and is impacted by information governance (IG) program efforts. IT departments typically have been charged with keeping the “plumbing” of IT intact—the network, servers, applications, and data. However, while the output of IT is in their custody, they have not been held to account for it; that is, the information, reports, and databases they generate have long been held to be owned by users in business units. This has left a gap of responsibility for governing the information that is being generated and managing it in accordance with legal and regulatory requirements, standards, and best practices.
Certainly, on the IT side, shared responsibility for IG means the IT department itself must take a closer look at IT processes and activities with an eye to IG. A focus on improving IT efficiency, software development processes, and data governance and quality will help contribute to the overall IG program effort. IT is an integral piece of the program.
Debra Logan, vice president and distinguished analyst at Gartner, states:
Information governance is the only way to comply with regulations, both current and future, and responsibility for it lies with the CIO and the chief legal officer. When organizations suffer high-profile data losses, especially involving violations of the privacy of citizens or consumers, they suffer serious reputational damage and often incur fines or other sanctions. IT leaders will have to take at least part of the blame for these incidents.1
Gartner predicted that the need to implement IG is so critical that significant numbers of chief information officers (CIOs) will be terminated for their inability to implement IG successfully. Data breaches, ransomware attacks, and significant system downtime all end up on the CIO's doorstep. And if serious enough, the CEO can even be held to account for IT department deficiencies and mistakes.
Aaron Zornes, chief research officer at the MDM (Master Data Management) Institute, stated: “While most organizations’ information governance efforts have focused on IT metrics and mechanics such as duplicate merge/purge rates, they tend to ignore the industry- and business-metrics orientation that is required to ensure the economic success of their programs.”2
Four IG best practices in this area can help CIOs and IT leaders to be successful in delivering business value as a result of IG efforts:
To garner the resources and time needed to implement an IG program, you must develop a business case in real, measurable terms and tie it to corporate objectives. When executives see this alignment of objectives, they are more likely to support an IG program. The business case must be presented in order to gain executive sponsorship, which is an essential component of any IG effort. Without executive sponsorship, the IG effort will fail. Making the business case and having metrics to measure progress and success toward meeting business objectives are absolute musts.
Technology often fascinates those in IT—to the point of obfuscating the reason that technologies are leveraged in the first place: to deliver business benefit. Therefore IT needs to reorient its language, its vernacular, its very focus when implementing IG programs. IT needs to become more business savvy, more businesslike, more focused on delivering business benefits that can help the organization to meet its business goals and achieve its business objectives. “Business leaders want to know why they should invest in an information governance program based on the potential resulting business outcomes, which manifest as increased revenues, lower costs and reduced risk.”3
You cannot simply take a boilerplate IG plan, implement it in your organization, and expect it to be successful. Sure, there are components that are common to all industries, but tailoring your approach to your organization is the only way to deliver real business value and results. That means embarking on an earnest effort to develop and sharpen your business goals, establishing business objectives that consider your current state and capabilities and external business environment and legal factors unique to your organization. It also means developing a communications and training plan that fits with your corporate culture. And it means developing meaningful metrics to measure your progress and the impact of the IG program, to allow for continued refinement and improvement.
IG requires a cross-functional effort, so you must be speaking the same language, which means the business terms you use in your organization must be standardized. This is the very minimum to get the conversation started. But IG efforts will delve much more deeply into the organization of information and seek to standardize the taxonomy for organizing documents and records and even the metadata fields that describe in detail those documents and records across the enterprise.
Overall, being able to articulate the business benefits of your planned IG program will help you recruit an executive sponsor, help the program gain traction and support, and help you implement the program successfully.4
Several key foundational programs should support your IG effort in IT, including data governance, master data management (MDM), IT governance, and implementing accepted IT standards and best practices.
We touched on data governance in Chapter 2. In today's business environment, data is mountainous, data is growing, data is valuable, and the insights that can be gained by analyzing clean, reliable data with the latest analytics tools are a sort of new currency. This is where the principles of infonomics enter into play. There are nuggets of gold in those mountains of data. Some insights can be monetized or leveraged for economic advantage. And leveraging those discoveries can provide a sustainable competitive advantage for the organization in areas such as customer acquisition, customer retention, and customer service.
The challenge is largely in garnering control over data and in cleaning, securing, and protecting it; doing so requires effective data governance strategies. But data governance is not only about cleaning and securing data; it is also about delivering it to the right people at the right time (sometimes this means in real time) to provide strategic insights and opportunities. If a data governance program is successful, it can add profits directly to the bottom line, while improving productivity for knowledge workers.5
Data governance involves processes and controls to ensure that information at the data level—raw data that the organization is gathering and inputting—is true and accurate, and unique (not redundant). It involves data cleansing (or data scrubbing) to strip out corrupted, inaccurate, or extraneous data and de-duplication to eliminate redundant occurrences of data.
Data governance focuses on information quality from the ground up (at the lowest or root level), so that subsequent reports, analyses, and conclusions are based on clean, reliable, trusted data (or records) in database tables. Data governance is the most fundamental level at which to implement IG. Data governance efforts seek to ensure that formal management controls—systems, processes, and accountable employees who are stewards and custodians of the data—are implemented to govern critical data assets to improve data quality and to avoid negative downstream effects of poor data.
Data governance is a newer, hybrid quality control discipline that includes elements of data quality, data management, IG policy development, business process improvement, and compliance and risk management.
Good data governance programs should extend beyond the enterprise to include external stakeholders (suppliers, customers) so an organization has its finger on the pulse of its extended operations. In other words, enforcing data governance at the earliest possible point of entry—even external to the organization—can yield significant efficiencies and business benefits downstream. And combining data governance with real-time business intelligence (BI) and data analytics software not only can yield insights into significant and emerging trends but also can provide solid information for decision makers to use in times of crisis—or opportunity.
Nine key steps you can take to govern data effectively are listed next:
From a risk management perspective, data governance is a critical activity that supports decision makers and can mean the difference between retaining a customer and losing one. Protecting your data is protecting the lifeblood of your business, and improving the quality of the data will improve decision making, foster compliance efforts, and yield competitive advantages.
The Data Governance Institute has created a data governance framework, a visual model to help guide planning efforts and a “logical structure for classifying, organizing, and communicating complex activities involved in making decisions about and taking action on enterprise data.”8 (See Figure 10.1.) The framework applies more to larger organizations, which have greater complexity, greater internal requirements, and greater, more complex regulatory demands. It allows for a conceptual look at data governance processes, rules, and people requirements.
Information management is a principal function of IT. It is complex and spans a number of subdisciplines but can be defined as the “application of management techniques to collect information, communicate it within and outside the organization, and process it to enable managers to make quicker and better decisions.”9 It is about managing information, which is more than just collecting and processing data from varying sources and distributing it to various user audiences. It includes a number of subcomponent tasks, including these four key functions:
is a technology-enabled discipline in which business and IT work together to ensure the uniformity, accuracy, stewardship, semantic consistency and accountability of the enterprise's official shared master data assets. Master data is the consistent and uniform set of identifiers and extended attributes that describes the core entities of the enterprise including customers, prospects, citizens, suppliers, sites, hierarchies and chart of accounts.12
What is the business impact? How are operations enhanced and how does that contribute to business goals? One set of reliable, clean data is critical to delivering quality customer service, reducing redundant efforts and therefore operational costs, improving decision making, monetizing data, and even potentially to lower product and marketing costs. A unified view of customers, products, or other data elements is critical to turning these business goals into reality.
Again, the larger the organization, the greater the need for MDM.
The importance of data modeling as a foundation for the application development process is depicted in Figure 10.2.
Once the data model is developed, business rules and logic can be applied through application development. A user interface is constructed for the application, followed by movement of data or e-documents through work steps using work flow capabilities, and then integration with existing applications (e.g. enterprise resource planning or customer relationship management systems). Typically this is accomplished through an application programming interface, a sort of connector that allows interaction with other applications and databases.
There are six approaches to data modeling:
Figure 10.3 shows different categories of data.
As introduced in Chapter 2, IT governance is about efficiency and value creation. IT governance is the primary way that stakeholders can ensure that investments in IT create business value and contribute toward meeting business objectives.22 This strategic alignment of IT with the business is challenging yet essential. IT governance programs go further and aim to improve IT performance, deliver optimum business value, and ensure regulatory compliance.
Although the CIO typically has line responsibility for implementing IT governance, the chief executive officer and board of directors must receive reports and updates to discharge their responsibilities for IT governance and to see that the program is functioning well and providing business benefits.
The focus of governance in IT is on the actual software development and maintenance activities of the IT department or function, and IT governance efforts focus on making IT efficient and effective. That means minimizing costs by following proven software development methodologies and best practices, principles of data governance and information quality, and project management best practices while aligning IT efforts with the business objectives of the organization.
Several IT governance frameworks can be used as a guide to implementing an IT governance program.
Although frameworks and guidance like COBIT® and ITIL have been widely adopted, there is no absolute standard IT governance framework; the combination that works best for your organization depends on business factors, corporate culture, IT maturity, and staffing capability. The level of implementation of these frameworks will also vary by organization.
COBIT (Control Objectives for Information and Related Technology) is a process-based IT governance framework that represents a consensus of experts worldwide. It was codeveloped by the IT Governance Institute and ISACA. COBIT addresses business risks, control requirements, compliance, and technical issues.23 The latest version is COBIT 2019.24 Some changes and updates include:
COBIT offers IT controls that:
COBIT consists of detailed descriptions of processes required in IT and tools to measure progress toward maturity of the IT governance program. It is industry agnostic and can be applied across all vertical industry sectors, and it continues to be revised and refined.26
COBIT is broken into three basic organizational levels and their responsibilities: (1) board of directors and executive management; (2) IT and business management; and (3) line-level governance, security, and control knowledge workers.
The COBIT model draws on the traditional “plan, build, run, monitor” paradigm of traditional IT management, only with variations in semantics. There are four IT domains in the COBIT framework, which contain 40 governance and management objectives for IT processes and also control objectives that map to the four specific IT processes of:
Specific goals and metrics are assigned, and responsibilities and accountabilities are delineated.
The COBIT framework maps to ISO 17799 of the International Organization for Standardization and is compatible with Information Technology Infrastructure Library (ITIL) and other accepted practices in IT development and operations.
ValIT is a newer value-oriented framework that is compatible with and complementary to COBIT. Its principles and best practices focus is on leveraging IT investments to gain maximum value. Forty key ValIT essential management practices (analogous to COBIT's control objectives) support three main processes: value governance, portfolio management, and investment management. ValIT and COBIT “provide a full framework and supporting tool set” to help managers develop policies to manage business risks and deliver business value while addressing technical issues and meeting control objectives in a structured, methodic way.”
ITIL is a set of process-oriented best practices and guidance originally developed in the United Kingdom to standardize delivery of IT service management. ITIL is applicable to both the private and public sectors and is the “most widely accepted approach to IT service management in the world.”27 As with other IT governance frameworks, ITIL provides essential guidance for delivering business value through IT, and it “provides guidance to organizations on how to use IT as a tool to facilitate business change, transformation and growth.”28
ITIL best practices form the foundation for ISO/IEC 20000 (previously BS 15000), the International Service Management Standard for organizational certification and compliance.29 ITIL 2011 is the latest revision (as of this writing). It consists of five core published volumes that map the IT service cycle in a systematic way:
ISO/IEC 38500:2015 is an international standard that provides high-level principles and guidance for senior executives and directors, and those advising them, for the effective and efficient use of IT.30 Based primarily on AS 8015, the Australian IT governance standard, it “applies to the governance of management processes” performed at the IT service level, but the guidance assists executives in monitoring IT and ethically discharging their duties with respect to legal and regulatory compliance of IT activities.
The ISO 38500 standard comprises three main sections:
It is largely derived from AS 8015, the guiding principles of which were:
The standard also has relationships with other major ISO standards, and embraces the same methods and approaches.31
Although security is a topic primarily for Chapter 11, it is a technical topic that we address here as well. Best practices have been developed over the past few years and can prevent leakage of structured data from databases and Web services due to SQL injections (where hackers attack SQL databases) and other types of attacks.
An organization and its data need to be connected to its stakeholders—employees, customers, suppliers, and strategic partners. In this interconnected world that keeps expanding (e.g. cloud, mobile devices), proprietary data is exposed to a variety of threats. It is critical to protect the sensitive information assets that reside in your databases.32
Perimeter security often is easily penetrated. Web apps are vulnerable to attacks such as SQL injection (a favorite among malicious approaches). Hackers also can gain access by spear phishing (very specific phishing attacks that include personal information) to glean employee login credentials in order to get access to databases.
Streamlining your approach to database security by implementing a uniform set of policies and processes helps in compliance efforts and reduces costs. Here are some proven database security best practices:33
Implementing these best practices will help keep sensitive data in your databases secure.
Multiple frameworks and standards can be applied to the IT process to more effectively govern it and focus the processes on business impact. Beginning with a robust data governance program, organizations can ensure, at the more fundamental level, that the information they are using to base decisions on is clean, reliable, and accurate. Implementing an MDM program will help larger organizations with complex IT operations ensure that they are working with consistent data from a single source. Implementing the COBIT 5 business framework for delivering IT results will help support a more efficient IT operation and include other major frameworks, standards, and best practices. Leveraging the use of the ISO 38500 standard will help senior executives to better manage and govern IT operations, and employing database security best practices will help guard against outside threats.
18.220.126.5