Sep
12
2011
A recent Associated Press headline touted that a Study warns US must develop cyber intelligence. Being that Information Security is one of the pillars of Information Governance, the article should raise alarm bells for some businesses. Many businesses have been so intent on containing costs, that in the rush to outsource more and more of their data management, they have unwittingly exposed themselves to increased risks. They rely upon blind trust that the security offered by the vendor will be sufficient.
Effectively, these businesses are, rightly or wrongly, abdicating a portion of their security and risk management to a third party. The article states, “the report warns that the U.S. has also outsourced much of the design and maintenance of computer technology to other countries where potential adversaries can easily insert themselves into the supply chain.” While some businesses have consciously chosen to keep their critical systems on-shore specifically because of this risk, others have put short-gains ahead of the risks posed by outsourcing. Others have chosen to mitigate the risk by choosing in country vendors not realizing that the vendor uses off-shore resources. Cloud computing and outsourcing clearly have a place in our world today.
There are clear and compelling reasons to turn over some data management to a trusted third-party. The key word being “trusted.” The risk is not the act of outsourcing; the risk is not managing the security and trust when that path is chosen. So how should you manage this trust? Here are some ideas:
- Build detailed security planning into your outsourcing contract, then audit compliance. Remember, trust but verify.
- Keep a mirror site on-shore. This helps mitigate the risk of a sudden disruption in service between you and your off-shore resources.
- Keep security functions on-shore and in-house. This includes managing access controls and all monitoring functions.
- Closely couple the Security function to your Information Governance efforts and ensure you know which data is high value and high risk.
- Look into the local laws in the country hosting your data management. What do they specify regarding access and disclosure?
- If you cannot audit and monitor the third-party work on your data and systems, rethink your strategy.
- Include outsourcing as a subject area in your Risk Management efforts.
Lastly, use data governance practices to understand your full information supply chain. Keep verifiable records of how information moves around your organization from the time you first acquire the data to the point where it is aggregated, analyzed and presented to people for action. Ensure that data is secure, the systems are robust, and the risks to them are not managed by blind trust.
May
31
2011
Funny thing about large data systems, everyone knows the benefits scale due to the application of technology, but many companies turn a blind eye to the fact that so do the risks. Complacency and arrogance (C&A) team up to teach us occasional lessons to learn from, and if the screw-up in grand enough it may even get passed on in college texts. Continue Reading »
Jan
21
2011
In the course of a great conversation on Data Governance with Max Gano of Stakeholder Care, we began discussing the application of controls. Max had some great thinking on how they fit into the realm of Data Governance. The conversation reminded me of a RACI Waterfall that I had created a few years back. The RACI was created to show the chain of Responsibility and Accountability with regard to Data Governance. It also served to explain the importance of documenting the intention of controls and linking them to higher authority.
Governance involves the delegation of Responsibility and Accountability as shown in this RACI Waterfall. Governance is only effective when the decision rights have been granted by higher authority and are enforced by those who are responsible and accountable. Governance succeeds only when the chain of responsibility and accountability is unbroken, and the expectations are documented and published as shown below.
RACI Waterfall (click for larger view)
It is a simple concept really, but often overlooked when creating a Data Governance program. That is why many governance programs fail. Either they have not obtained the authority to govern from the senior leadership team, or the senior leadership fails to provide the appropriate backing. When the chain of responsibility and accountability has been interrupted then effectiveness of controls and standards has been undermined.
This can be avoided by ensuring the leadership team stays engaged and supportive, that expectations are documented, and that compliance is monitored. These need to be non-negotiable elements of your program.
Dec
13
2010
Recently an associate commented that perhaps we could better gain buy-in by answering the question “why now?” Adding the dimension of time was an interesting twist on spelling out the value proposition. After all, many businesses operations have been running fine for years with only ad-hoc data governance processes. What would be the risk of delaying implementing Data Governance for one more year? Continue Reading »
Aug
27
2010
Over the last several years, there has been quite a bit of discussion regarding the distinction between data ownership and data stewardship. Stewardship commonly involves the daily and routine care-taking of all aspects of data systems. The roles are highly distributed. Ownership on the other hand is more concentrated. If you want to find the data owners, discover whose head would be on a pike following a major data related disaster such as a financial misstatement, or material loss. Continue Reading »
Mar
25
2010
A recent Information Management article by Steve Hoberman, explored the impact of cloud computing on data modeling. I think he makes some very good points about the impact on data integration, in particular the importance of managing the semantic layer. If we take this to be true, then those who expect to excel in the space will need mature metadata management and data governance practices. Continue Reading »
Mar
3
2010
Of all the posts on my blog, the one that draws the most interest is my humorous story about the definition of data steward and data custodian. Commonly, people find it while looking for a good definition and list of responsibilities for a data steward or data custodian. The following is being posted to help answer that question.
These definitions and lists of responsibilities evolved over time while interacting with experts from a variety of companies. One caveat, these are job functions not job titles. The focus is on what someone does as part of their daily work. In some instances someone may be both a Data Custodian and a Data Steward. The responsibilities represent the collection of actions taken by someone fulfilling these functions. Normally, they have job titles such as Business Analyst, Functional Analyst, Data Analyst, Data Base Administrator, Data Modeler, and so on….
Use them and help evolve them….
Here are the definitions: Continue Reading »