Using COBIT 5 to Deliver Information and Data Governance

DISCUSS THIS ARTICLE
Using COBIT 5 to Deliver
Information and Data Governance
By Myles Suer, ITIL, and Roger Nolan
COBIT Focus | 12 January 2015
COBIT® 5 provides guidance for IT practitioners and business leaders regarding the governance and
management of data and information. COBIT 5 starts by providing an overarching set of business
recommendations. For example, COBIT 5 suggests that business leaders include in their balanced
scorecard the following topics: compliance, financial transparency and information-based strategic
decision making. COBIT also establishes an information life cycle function where data are enriched to
become information and information is enriched with context to become knowledge that has enterprise
value (figure 1).
Figure 1—COBIT 5 Information Life Cycle
Source: ISACA,
COBIT 5 , USA, 2012. Reprinted with permission
The enterprise goals flow, in turn, into a set of IT-enabling processes for information and data
governance. Here, COBIT 5 suggests that IT organizations start by defining, with their business
customers, their information data system. COBIT 5 holds IT responsible for fostering the definition of and
responsibilities for the ownership of information/data and information systems. Chief information officers
(CIOs), in general, acknowledge that the business must own the data and must determine how specific
data are managed. This is because only the business understands the business context of the data. CIOs
own the processes and technology for ensuring data are secured and available when and where the
business needs them.
After CIOs have established processes and technology, they need to make sure information and data
owners can make decisions about data definition, data classification, data security and control, and data
integrity. Additionally, they need to ensure that the information system provides the “knowledge required
1|Page
to support all staff in their work activities and informed decision making and enhanced productivity.”1 This
means IT needs to create facilities so that knowledge is used, shared and updated. This starts by
identifying, defining and classifying all sources of information.
Part of doing this successfully involves ensuring the availability of reliable and useful information for
decision making. This clearly involves keeping the ratio of erroneous or unavailable information to a
minimum. Limiting erroneous decision making also involves ensuring that reporting is complete, timely
and accurate.2 Measuring performance here involves looking at the percent of reports that are not
delivered on time and the percent of reports containing inaccuracies. These obviously need to be kept to a
minimum. Clearly, this function is enabled by backup systems, applications, data and documentation.
These should be worked according to a defined schedule that meets business requirements. However,
business leaders should recognize that most every source system has a level of bad data. Given this, it is
important to understand the impact of data on the business and maintain a level of data accuracy that is
acceptable to business users.
Business leaders should recognize that most every source
system has a level of bad data.
COBIT defines a set of enabling processes for enterprise architects. These require that a common
architecture be put together consisting of “business processes, information, data, application, and
technology layers for effectively and efficiently realizing enterprise strategies.”3 The enterprise
architecture needs to provide a description of baseline and target enterprise architectures that will support
the organization’s strategic direction.
The enterprise architecture layer should also represent the differing building blocks that make up the
enterprise and their interrelationships, as well as the principles guiding their design and evolution over
time. A key element of this involves establishing a common understanding of the business context of the
data. This requires building and maintaining an enterprise data dictionary that promotes a common
understanding and classification schemes that include details about the data definition and business
context, data ownership, appropriate data security, and data retention and destruction requirements.
COBIT requires classifying data inputs and outputs according to enterprise architecture standards. This
includes the source data collection design, the data inputs regardless of sources, the validation for
processing transactions and the methods for validation. This can include identifying the data outputs from
the source. At the same time, it can include mapping data storage, location, retrieval and recoverability.
From a design perspective, appropriate redundancy, recovery and backup should be built into the
architecture. Obviously, any system component should ensure availability and data integrity.
Another architecture element looks at optimizing the use of resources. This means answering the following
questions:
 What percentage of architecture components are reused?
 How many repositories of enterprise data does the organization have?
 Is spaghetti code strung from application to application, or is there a unified enterprise data
integration architecture where data are resources that are accessible and sharable across all
applications, processes and analyses?
Finally, COBIT 5 stresses the importance of data and information compliance and security. Information
needs to be “properly secured, stored, transmitted or destroyed.”4 This starts with effective security and
controls over information systems. This means that procedures need to be defined and implemented to
ensure the integrity and consistency of information stored in databases, data warehouses and data
archives. COBIT requires IT to manage the number of security incidents that cause financial loss, business
disruption or public embarrassment.5 Security of information, processing infrastructure and applications is
critical today, as attacks such as the 2013 Target breach have proven. Clearly, information security
solutions need to be operated consistently throughout the enterprise. All users need to be uniquely
identifiable and have access rights in accordance with their business role. And for business compliance, all
2|Page
business transactions need to be retained for governance and compliance reasons. 6
COBIT 5 establishes seven enablers to drive better information and data governance and management.
Each of the enablers has goals and metrics that aim to drive better control and hopefully, over time,
improvement of:
 Management of IT-related business risk
 Transparency of IT costs, benefits and risk
 Security of information, processing infrastructure and applications
 IT compliance with internal policies
 Risk thresholds definition and communication
 Managing critical IT-related enterprise risk effectively and efficiently
 Ensuring that IT-related risk does not exceed the enterprise risk appetite
COBIT Data Governance Requirements
COBIT 5 defines multiple components of governance for IT organizations. Good governance “ensures that
stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise
objectives to be achieved; setting direction through prioritization and decision making; and monitoring
performance and compliance against agreed-on direction and objectives.”7 According to COBIT 5, data
governance requires the following four elements:
 Clear information ownership
 Timely, correct information
 Clear enterprise architecture and efficiency
 Compliance and security
But how are all of these objectives achieved? Information ownership requires that business and IT
establish and maintain a good working relationship around data governance. It also requires that a
common set of information requirements be established. This demands that up-to-date and future-state
enterprise architectures are in place. According to the book Enterprise Architecture as Strategy, this
involves creating “the organizing logic for business processes and IT infrastructure, reflecting the (data)
integration and standardization requirements of the company’s operating model.”8 But how does an
enterprise achieve timely, correct information and better manage enterprise compliance and security?
Enterprises need to standardize a data architecture that
creates a single integration layer among all data sources.
Getting timely and correct information starts by eliminating manual data massaging and movement. In
recent discussions with chief financial officers (CFOs), many have shared their need to first manually pull
data and then massage the data and finally move the massaged data between one or more data sources.
Eliminating this requires an enterprise architecture that creates a more systematic approach to data
management. Instead of manually moving data or creating layer over layer of spaghetti code integration,
enterprises need to standardize a data architecture that creates a single integration layer among all data
sources. This is critical to realizing the benefits of enterprise architecture. This will also enable repeatable
processes, skills reuse and continuous improvement that will be critical for the integration system to keep
up with the emerging demands of the business. An integration layer also increasingly needs to support
new and existing sources of data and be able to do so at the speed of business. This way, information is
delivered in a timely fashion. But having automated integration does not go far enough. Business users
want trustworthy data. In the data integration business, it is called the veracity of data. “Veracity refers to
the quality or cleanliness of data and how certain one is that the data [being used] is indeed accurate.”9
An expert on data integration “maintains that at least 20 percent of all raw data is incorrect. Inaccurate
data leads data users to question the information their systems provide.”10 Even worse, Bloor Research
estimates that data quality erodes at 1 to 1.5 percent per month if not actively managed.11
So, how does one fix this? It requires people, processes and tools. Data stewards need a data system that
3|Page
actively manages the quality of data and does so at multiple layers. First, it needs to set up rules from the
business perspective to manage data from their first entrance point into the enterprise. These rules should
be established and managed by business users to ensure that data are accurate. Second, the business
users need tools to be able to monitor the ongoing quality of their data. And when a rule fails, the
business user, not an IT leader, needs to be enabled to take action.
Beyond this, the data system need to automatically and proactively fix data issues like addresses, missing
data and data format problems. And once this has been accomplished, it needs to go after redundancies in
customers and transactions. With multiple IT-managed transaction systems, it is easy to misstate both
customers and customer transactions. It is also possible to miss potential business opportunities. All of
these are required to get accurate data.
With integration and quality, business users are able to relate traditional and nontraditional data sources.
The relationship among social, mobile, machine data and traditional data offers amazing potential to
provide business value through initiatives such as enhanced customer service. By connecting or fusing
these data sources, it becomes possible to discover new business insights and drive new or improved
business outcomes.
The relationship among social, mobile, machine data and
traditional data offers amazing potential to provide
business value...
Additionally, data need to be systematically protected. This means that user access to data needs to be
managed systematically across all IT-managed systems. Typical data integrations move data between
applications without protecting the source data systems’ rules. A data security issue at any point in the IT
system can expose all data. At the same time, enterprises need to control exactly what data are moved in
test environments and product environments. Enterprises must also ensure that a common set of security
governance rules is established and maintained across the entire enterprise, including data being
exchanged with partners, employees and contractors using data outside of the enterprise firewall.
Data must also be protected from a compliance perspective. This means that enterprises need to manage
the life cycle of data and ensure the retention of any and all compliance-related data. This life cycle may
require different approaches for different phases. COBIT 5 distinguishes four phases: plan, design,
build/acquire and use/operate. The planning phase involves identification of objectives, information
architecture, and standards and definitions. The design phase involves the implementation of what is
planned. The build/acquire phase involves the creation of data records, the purchase of data and the
loading of external files. And finally, the use/operate phase involves the storage, sharing and use of
information. The latter can include monitoring and disposing of information. 12
A key element of the use phase can involve archiving and protecting data as they become inactive. This is
also a key element of the application information life cycle. Concurrently, enterprises need to enable
application developers in the build/acquire phase to work with test data without creating a data exposure
risk. And in the use/operate phase, IT organizations need to be able to audit, block and dynamically mask
sensitive production data or nearby production databases to prevent unauthorized access.
Governance Realization Best Practices
Information and data governance and management initiatives can be very complex and expensive to
implement. The following are a few good practices learned from real-world implementations:
1. Start with an information strategy, people, processes and technology. In that order.
2. Do not try to do it all at once. Many companies have tried and failed at these initiatives because
they did not deliver business value in a reasonable time period. (In fact, COBIT 5 suggests a number
of measures to align IT, commitment of executive management and benefit realization to gauge how
4|Page
well an enterprise is doing here.) Prioritize the most important data based on:
 Regulatory requirements
 Potential impact to the overall business or business initiative where it is being applied
3. Implement the data governance strategy one initiative at a time. This will help with
prioritization and will help align the data governance strategy with business priorities. But it is also
essential that the head of data governance has an overall architecture and plan in place so that islands
of data governance are not created in the process.
4. Standardize the approach to enterprise data governance. This is how an enterprise drives
efficiency and automation while eliminating the islands of data. The approach should:
 Increase IT and business collaboration
 Eliminate manual movement and massaging of data
 Grow with the needs of the business
 Provide an audit trail and end-to-end visibility of the flow of data across the enterprise
Having implemented these best practices, COBIT 5 then requires an enterprise to actively measure data
quality. COBIT 5 does this through a set of data quality goals: intrinsic data quality (information is correct
and reliable), contextual and representational quality (relevance, completeness, currency and ease of
manipulation), and security/accessibility quality (availability, timeliness and access restricted). 13
Good Governance Takes Time and Effort
COBIT 5 recommends that organizations take specific actions to govern data. It also provides a set of ITenabling processes for information and data governance. Some enterprises may already be using some, if
not many, of the COBIT 5 process recommendations. For those who are not, this article lays out a set of
steps that enterprises can take to better govern and manage information. As with most improvement
methodologies, start by taking just one step. Rome was not built in a day and neither is good governance.
The point is to start the improvement journey today. And COBIT provides sound and comprehensive
improvement recommendations to kick things off.
Myles Suer, ITIL
Is a senior manager of solutions marketing at Informatica Corp. Much of his experience has been as a
business intelligence (BI) practitioner. Previously, Suer worked at Hewlitt Packard and Peregrine, where he
led the product management team applying BI and scorecard technology to IT management products.
Prior to HP, Suer led new product initiatives at start-ups and large companies. This included a restart of a
business activity monitoring company. He has also been employed as a software industry analyst.
Roger Nolan
Is a director of solutions marketing for Informatica, currently focusing on next-generation enterprise data
architectures. Prior to Informatica, he worked as an independent consultant, taught in the University of
San Francisco (California, USA) masters of business administration (MBA) program, and managed product
marketing and product management teams for enterprise software at Sun Microsystems, Avaya, Metricom
and other technology companies.
Endnotes
1
ISACA,
COBIT 5, USA, 2012, p. 81
2
ISACA,
COBIT ® 5: Enabling Processes , USA, 2012, p. 47
3
Ibid., p. 63
4
Op cit,
5
Ibid., p. 39
6
Ibid., p. 198
7
Ibid., p. 89
8
Ross, J.; P. Weill; D. Robertson; Enterprise Architecture as Strategy, Harvard Business Press, 2006
COBIT 5, p. 113
5|Page
9
Hurwitz, Judith; Alan Nugent; Fern Halper; Marcia Kaufman; Big Data for Dummies, 2013, p. 190
10
Underdahl, Brian; Data Integration for Dummies, Wiley, 2014
11
Howard, Philip; “Data Migration,” white paper, Bloor Research, May 2011
12
Op cit,
13
Ibid., p. 150
COBIT 5, p. 82
6|Page