assessment 5

189

C H A P T E R 10 Information Governance and Information Technology Functions

Information technology (IT) is a core function impacted by information gover-ynance (IG) efforts. IT departments typically have been charged with keeping the “plumbing” of IT intact—the network, servers, applications, and data—but although the output of IT is in their custody, they have not been held to account for it; that is, the information, reports, and databases they generate have long been held to be owned by users in business units. This has left a gap of responsibility for governing the information that is being generated and managing it in accordance with legal and regulatory requirements, standards, and best practices.

Certainly, on the IT side, shared responsibility for IG means the IT department itself must take a closer look at IT processes and activities with an eye to IG. A focus on improving IT effi ciency, software development processes, and data quality will help contribute to the overall IG program effort. IT is an integral piece of the program.

Debra Logan, vice president and distinguished analyst at Gartner, states:

Information governance is the only way to comply with regulations, both cur- rent and future, and responsibility for it lies with the CIO and the chief legal offi cer. When organizations suffer high-profi le data losses, especially involv- ing violations of the privacy of citizens or consumers, they suffer serious repu- tational damage and often incur fi nes or other sanctions. IT leaders will have to take at least part of the blame for these incidents. 1

Gartner predicts that the need to implement IG is so critical that, by 2016, fully one in fi ve chief information offi cers (CIOs) will be terminated for their inability to implement IG successfully.

Aaron Zornes, chief research offi cer at the MDM (Master Data Management) Institute, stated: “While most organizations’ information governance efforts have fo- cused on IT metrics and mechanics such as duplicate merge/purge rates, they tend to ignore the industry- and business-metrics orientation that is required to ensure the economic success of their programs.” 2

190 INFORMATION GOVERNANCE

Four IG best practices in this area can help CIOs and IT leaders to be successful in delivering business value as a result of IG efforts:

1. Don’t focus on technology, focus on business impact Technology often enthralls those in IT—to the point of obfuscating the

reason that technologies are leveraged in the fi rst place: to deliver business benefi t. So IT needs to reorient its language, its vernacular, its very focus when implementing IG programs. IT needs to become more business savvy, more businesslike, more focused on delivering business benefi ts that can help the organization to meet its business goals and achieve its business objectives. “Business leaders want to know why they should invest in an information gov- ernance program based on the potential resulting business outcomes, which manifest as increased revenues, lower costs and reduced risk.” 3

2. Customize your IG approach for your specifi c business, folding in any industry-specifi c best practices possible.

You cannot simply take a boilerplate IG plan, implement it in your orga- nization, and expect it to be successful. Sure, there are components that are common to all industries, but tailoring your approach to your organization is the only way to deliver real business value and results. That means embarking on an earnest effort to develop and sharpen your business goals, establish- ing business objectives that consider your current state and capabilities and external business environment and legal factors unique to your organization. It also means developing a communications and training plan that fi ts with your corporate culture. And it means developing meaningful metrics to mea- sure your progress and the impact of the IG program, to allow for continued refi nement and improvement.

3. Make the business case for IG by tying it to business objectives To garner the resources and time needed to implement an IG program, you

must develop a business case in real, measureable terms. The business case must be presented in order to gain executive sponsorship, which is an essential component of any IG effort. Without executive sponsorship, the IG effort will fail. Making the business case and having metrics to measure progress and success toward meeting business objectives are absolute musts.

4. Standardize use of business terms IG requires a cross-functional effort, so you must be speaking the same

language, which means the business terms you use in your organization must be standardized. This is the very minimum to get the conversation started. But IG efforts will delve much more deeply into information organization and seek to standardize the taxonomy for organizing documents and records and even the metadata fi elds that describe in detail those document and records across the enterprise.

Overall, being able to articulate the business benefi ts of your planned IG program will help you recruit an executive sponsor, help the program gain traction and support, and help you implement the program successfully. 4

Several key foundational programs should support your IG effort in IT, includ- ing data governance, master data management (MDM), and implementing accepted IT standards and best practices. We will now delve into these concepts in more detail.

INFORMATION GOVERNANCE AND INFORMATION TECHNOLOGY FUNCTIONS 191

Data Governance

We touched on data governance in Chapter 2 . Data is big, data is growing, data is valu- able, and the insights that can be gained by analyzing clean, reliable data with the latest analytic tools are a sort of new currency. There are nuggets of gold in those mountains of data. And leveraging those discoveries can provide a sustainable competitive advan- tage in areas such as customer acquisition, customer retention, and customer service.

The challenge is largely in garnering control over data and in cleaning, secur- ing and protecting it; doing so requires effective data governance strategies. But data governance is not only about cleaning and securing data; it is also about delivering it to the right people at the right time (sometimes this means in realtime) to provide strategic insights and opportunities. If a data governance program is successful, it can add profi ts directly to the bottom line. 5

Data governance involves processes and controls to ensure that information at the data level—raw data that the organization is gathering and inputting—is true and accurate, and unique (not redundant). It involves data cleansing ( or data scrubbing) gg to strip out corrupted, inaccurate, or extraneous data and de-duplication to eliminate redundant occurrences of data.

Data governance focuses on information quality from the ground up (at the low-y est or root level), so that subsequent reports, analyses and conclusions are based on clean, reliable, trusted data (or records) in database tables. Data governance is the most fundamental level at which to implement IG. Data governance efforts seek to ensure that formal management controls—systems, processes, and accountable employees who are stewards and custodians of the data—are implemented to govern critical data assets to improve data quality and to avoid negative downstream effects of poor data.

Data governance is a newer, hybrid quality control discipline that includes elements of data quality, data management, IG policy development, business process improve- ment, and compliance and risk management.

Good data governance programs should extend beyond the enterprise to include external stakeholders (suppliers, customers) so an organization has its fi nger on the pulse of its extended operations. In other words, enforcing data governance at the ear- liest possible point of entry—even external to the organization—can yield signifi cant effi ciencies and business benefi ts downstream. And combining data governance with real-time analytics and business intelligence (BI) software not only can yield insights into signifi cant and emerging trends but also can provide solid information for deci- sion makers to use in times of crisis—or opportunity.

Focusing on business impact and customizing your IG approach to meet business objectives are key best practices for IG in the IT department.

Effective data governance can yield bottom-line benefi ts derived from new insights.

192 INFORMATION GOVERNANCE

Steps to Governing Data Effectively

Nine key steps you can take to govern data effectively are listed next. The fi rst fi ve are based on recommendations by Steven Adler in CIO Magazine:

1. Recruit a strong executive sponsor. As in broader IG efforts, data governance re- quires cross-functional collaboration with a variety of stakeholders. To drive and facilitate this sometimes contentious conversation, a strong executive sponsor is required. This is not an easy task since executives generally do not want to deal with the minutia at the data level. You must focus on the realiz- able business benefi ts of improved data governance (i.e., specifi c applications that can assist in customer retention, revenue generation, and cost cutting).

2. Assess your current state. Survey the organization to see where the data reposi- tories or silos of data are, what problems related to data exist, and where some opportunities to improve lie. Document where your data governance program stands today and then map out your road to improvement in fundamental steps.

3. Set the ideal state vision and strategy. Create a realistic vision of where your organization wants to go in its data governance efforts, and clearly articulate the business benefi ts of getting there. Articulate a measureable impact. Track your progress with metrics and milestones.

4. Compute the value of your data. Try to put some hard numbers to it. Calculate some internal numbers on how much value data—good data—can add to specifi c business units. Data is unlike other assets that you can see or touch (cash, buildings, equipment, etc.), and it changes daily, but it has real value.

5. Assess risks. What is the likelihood and potential cost of a data breach? A major breach? What factors come into play and how might you combat these potential threats? Perform a risk assessment to rank and prioritize threats and assign probabilities to those threats so you may fashion appropriate strategies to counter them.

6. Implement a going-forward strategy. It is a signifi cantly greater task to try to improve data governance across the enterprise for existing data, versus a smaller business unit. 6 Remember, you may be trying to fi x years if not decades of bad behavior, mismanagement, and lack of governance. Taking an “incre- mental approach with an eye to the future” provides for a clean starting point and can substantially reduce the pain required to implement. A strategy where new data governance policies for handling data are implemented beginning on a certain future date is a proven best practice.

7. Assign accountability for data quality to business units, not IT. Typically, IT has had responsibility for data quality, yet the data generation is mostly not under that department’s control, since most is created out in the business units. A pointed effort must be made to push responsibility and ownership for data to the business units that create and use the data.

8. Manage the change. Educate, educate, educate. People must be trained to understand why the data governance program is being implemented and how it will benefi t the business. The new policies represent a cultural change, and supportive program messages and training are required to make the shift.

9. Monitor your data governance program. See where shortfalls might be, and con- tinue to fi ne-tune the program. 7

INFORMATION GOVERNANCE AND INFORMATION TECHNOLOGY FUNCTIONS 193

From a risk management perspective, data governance is a critical activity that supports decision makers and can mean the difference between retaining a customer and losing one. Protecting your data is protecting the lifeblood of your business, and improving the quality of the data will improve decision making, foster compliance efforts, and yield competitive advantages.

Data Governance Framework

The Data Governance Institute has created a data governance framework, a visualk model to help guide planning efforts and a “logical structure for classifying, organiz- ing, and communicating complex activities involved in making decisions about and taking action on enterprise data.” 8 (See Figure 10.1 .) The framework applies more to

Good data governance ensures that downstream negative effects of poor data are avoided and that subsequent reports, analyses, and conclusions are based on reliable, trusted data.

Figure 10.1 DGI Data Governance Framework™ Source: The Data Governance Institute (datagovernance.com).

194 INFORMATION GOVERNANCE

larger organizations, which have greater complexity, greater internal requirements, and greater, more complex regulatory demands. It allows for a conceptual look at data governance processes, rules, and people requirements.

Information Management

Information management is a principal function of IT. It is complex and spans a t number of subdisciplines but can be defi ned as the “application of management tech- niques to collect information, communicate it within and outside the organization, and process it to enable managers to make quicker and better decisions.” 9 It is about managing information, which is more than just collecting and processing data from varying sources and distributing it to various user audiences. It includes a number of subcomponent tasks, including these four:

1. Master data management (MDM) is a key process for IG success in the IT de-t partment, which extends to involved business units. An emerging discipline, MDM came into prominence around 2010 to 2012, coinciding with the Big Data trend. The goal of MDM is to ensure that reliable, accurate data from a single source is leveraged across business units. That is, a key aim is to establish a “single version of the truth”10 and eliminate multiple, inconsistent versions of data sets, which are more common than most might think, especially in larger organizations with physically distributed operations and large numbers of servers and databases. 11 MDM gets to the core of data integrity issues, es-y sentially asking “Is this data true and accurate? Is this the best and only, fi nal version?” MDM grew from the need to create a standardized, “discrete disci- pline” to ensure there was a single version to base BI analyses on and to base decisions on. 12 According to Gartner, MDM is a technology-enabled disci- pline in which business and IT work together to ensure the uniformity, accu- racy, stewardship, semantic consistency and accountability of the enterprise’s offi cial shared master data assets. Master data is the consistent and uniform set of identifi ers and extended attributes that describes the core entities of the en- terprise, including customers, prospects, citizens, suppliers, sites, hierarchies and chart of accounts. 13

What is the business impact? How are operations enhanced and how does that contribute to business goals? One set of reliable, clean data is critical to delivering quality customer service, reducing redundant efforts and therefore operational costs, improving decision making, and even po- tentially lowering product and marketing costs. “A unifi ed view of custom- ers, products, or other data elements is critical to turning these business goals into reality.” 14

Again, the larger the organization, the greater the need for MDM.

Master data management is a key IG process in IT.

INFORMATION GOVERNANCE AND INFORMATION TECHNOLOGY FUNCTIONS 195

2. Information lifecycle management (ILM) is managing information appropriately t and optimally at different stages of its useful life, from creation through distribution and use, including meeting legal and regulatory requirements, and through its fi nal disposition, which can be destruction, archiving, or transfer to another entity. Organizations historically over-retain informa- tion; however, studies show that information quickly loses its value and that once data has aged 10 to 15 days, the likelihood it will be used again is around 1 percent. 15 Based on its use characteristics, differing storage management strategies are appropriate. It defi es business logic to manage information that has little value with as much IT resource as information that is high value. Doing so is a misuse of resources . To execute ILM properly, the value of s certain data sets and records must be appraised and policies must be formed to manage it, recognizing that information value changes over the life cycle, which requires varying strategies and resource levels.16 ILM conceptually includes and can begin with MDM and is linked to compliance require- ments and capabilities.

3. Data architecture refers to the “design of structured and unstructured infor- mation systems” 17 in an effort to optimize data fl ow between applications and systems so that they are able to process data effi ciently. Further, data architecture uses data modeling, standards, IG policies, and rules for gov- erning data and how it populates databases and how those databases and applications are structured.18 Some key issues to uncover when researching data architecture and design include data structure, or schema , which da- tabases are used (e.g., Oracle Database 11g, DB2, SQL Server), methods of query and access (e.g., SQL), the operating systems the databases operate on, and even their hardware (which can affect data architecture features and capabilities).

4. Data modeling can be complex, yet it is an important step in overall IG for g the IT department. It “illustrates the relationships between data.” Data modeling is an application software design process whereby data processes and fl ows between applications are diagrammed graphically in a type of fl owchart that formally depicts where data is stored, which applications share it, where it moves, and the interactions regarding data movement between applications. “Data modeling techniques and tools capture and translate complex system designs into easily understood representations of the data fl ows and processes, creating a blueprint for construction and/ or re-engineering.” 19 Good data models allow for troubleshooting before applications are written and implemented.

The importance of data modeling as a foundation for the application devel- opment process is depicted in Figure 10.2 .

Once the data model is developed, business rules and logic can be applied through application development. A user interface is constructed for the appli- cation, followed by movement of data or e-documents through work steps us- ing work fl ow capabilities, and then integration with existing applications (e.g., enterprise resource planning or customer relationship management systems). Typically this is accomplished through an application programming inter- face, a sort of connector that allows interaction with other applications and databases.

196 INFORMATION GOVERNANCE

There are six approaches to data modeling:

1. Conceptual. The conceptual approach merely diagrams data relationships at the “highest level” 20 showing the storage, warehousing, and movement of data between applications.

2. Enterprise. The enterprise approach is a more business-oriented version of conceptual data modeling that includes specifi c requirements for an enter- prise or business unit.

3. Logical. Pertinent to the design and architecture of physical storage, logical data modeling “illustrates the specifi c entities, attributes and relationships in- volved in a business function.”

4. Physical. The physical approach depicts the “implementation of a logical data model” relative to a specifi c application and database system.

5. Data integration. This approach is just what it says; it involves merging data from two or more sources, processing the data, and moving it into a database. “This category includes Extract, Transform, and Load (ETL) capabilities.” 21

6. Reference data management. This approach often is confused with MDM, although they do have interdependencies. Reference data is a way to refer to data in categories (e.g., having lookup tables— standard industry classifi cation or SIC codes) to insert values, 22 and is used only to “categorize other data found in a database, or solely for relating data in a database to information beyond the boundaries of the enterprise.” 23 So reference data is not your actual data itself but a reference to categorize data.

Figure 10.3 shows different categories of data.

IT Governance

As introduced in Chapter 2 , IT governance is about effi ciency and value creation. IT governance is the primary way that stakeholders can ensure that investments in IT create

Figure 10.2 Key Steps from Data Modeling to Integration Source: Reproduced from Orangescape.com ( www.orangescape.com/wp-content/uploads/2010/10/ Application-Development-Lifecycle-OrangeScape.png ).

Data Model Business Logic

User Interface

Work Flows Integration

INFORMATION GOVERNANCE AND INFORMATION TECHNOLOGY FUNCTIONS 197

business value and contribute toward meeting business objectives.24 This strategic align- ment of IT with the business is challenging yet essential. IT governance programs go further and aim to “improve IT performance, deliver optimum business value and ensure regulatory compliance.” 25

Although the CIO typically has line responsibility for implementing IT gover- nance, the chief executive offi cer and board of directors must receive reports and up- dates to discharge their responsibilities for IT governance and to see that the program is functioning well and providing business benefi ts.

The focus of governance in IT is on the actual software development and mainte- nance activities of the IT department or function, and IT governance efforts focus on making IT effi cient and effective. That means minimizing costs by following proven software development methodologies and best practices, principles of data governance and information quality, and project management best practices while aligning IT efforts with the business objectives of the organization.

IT Governance Frameworks

Several IT governance frameworks can be used as a guide to implementing an IT governance program.

Although frameworks and guidance like CobiT® and T ITIL have been widely adopted, there is no absolute standard IT governance framework; the combination that works best for your organization depends on business factors, corporate culture, IT maturity, and staffi ng capability. The level of implementation of these frameworks will also vary by organization.

Figure 10.3 Categories of Data Source: http://www.information-management.com/issues/20060401/1051002-1.html?zkPrintable =1&nopagination=1

Increasing: DATABASE

Semantic content Metadata Most relevant to design

Most relevant to outside world

Most relevant to business

Most relevant to technology

Reference Data

Master Data

Enterprise Structure Data

Transaction Activity Data

Transaction Audit Data

Data quality importance

Volume of data Rates of update Population later in time Shorter life span

IT governance seeks to align business objectives with IT strategy to deliver business value.

198 INFORMATION GOVERNANCE

CobiT®

CobiT (Control Objectives for Information and related Technology) is a process-T based IT governance framework that represents a consensus of experts worldwide. It was codeveloped by the IT Governance Institute and ISACA. CobiT addresses busi- ness risks, control requirements, compliance, and technical issues.26

CobiT offers IT controls that:

■ Cut IT risks while gaining business value from IT under an umbrella of a glob- ally accepted framework.

■ Assist in meeting regulatory compliance requirements. ■ Utilize a structured approach for improved reporting and management deci-

sion making. ■ Provide solutions to control assessments and project implementations to

improve IT and information asset control. 27

CobiT consists of detailed descriptions of processes required in IT and tools to measure progress toward maturity of the IT governance program. It is industry agnos- tic and can be applied across all vertical industry sectors, and it continues to be revised and refi ned. 28

CobiT is broken into three basic organizational levels and their responsibilities: (1) board of directors and executive management; (2) IT and business management; and (3) line-level governance, security, and control knowledge workers.29

The CobiT model draws on the traditional “plan, build, run, monitor” paradigm of traditional IT management, only with variations in semantics. There are four IT domains in the COBIT framework, which contain 34 IT processes and 210 control objectives that map to the four specifi c IT processes of:

1. Plan and organize. 2. Acquire and implement. 3. Deliver and support. 4. Monitor and evaluate.

Specifi c goals and metrics are assigned, and responsibilities and accountabilities are delineated.

The CobiT framework maps to ISO 17799 of the International Organization for Standardization and is compatible with Information Technology Infrastructure Library (ITIL) and other accepted practices in IT development and operations. 30

COBIT 5

Released in 2012, CobiT 5 is the latest version of the business framework for the gov- ernance of IT from ISACA. CobiT 5

builds and expands on COBIT 4.1 by integrating other major frameworks, standards and resources, including ISACA’s Val IT and Risk IT, Information Technology Infrastructure Library (ITIL®) and related standards from the International Organization for Standardization (ISO). 31

INFORMATION GOVERNANCE AND INFORMATION TECHNOLOGY FUNCTIONS 199

Key Principles and Enablers “CobiT 5 is based on fi ve key principles for governance and management of enterprise IT:

■ Principle 1: Meeting Stakeholder Needs ■ Principle 2: Covering the Enterprise End-to- End ■ Principle 3: Applying a Single, Integrated Framework ■ Principle 4: Enabling a Holistic Approach ■ Principle 5: Separating Governance From Management

The CobiT 5 framework describes seven categories of enablers:

■ Principles, policies and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management.

■ Processes describe an organized set of practices and activities to achieve cer- tain objectives and produce a set of outputs in support of achieving overall IT-related goals.

■ Organizational structures are the key decision-making entities in an enterprise.

■ Culture, ethics and behavior of individuals and of the enterprise are very oftenr underestimated as a success factor in governance and management activities.

■ Information is required for keeping the organization running and well gov- erned, but at the operational level, information is very often the key product of the enterprise itself.

■ Services, infrastructure and applications include the infrastructure, technol- ogy and applications that provide the enterprise with information technology processing and services.

People, skills and competencies are required for successful completion of all activi- ties, and for making correct decisions and taking corrective actions.” 32

ValIT®

ValIT is a newer value-oriented framework that is compatible with and complemen- tary to CobiT. Its principles and best practices focus is on leveraging IT investments to gain maximum value. Forty key ValIT essential management practices (analogous to CobiT’s control objectives) support three main processes: value governance, port- folio management, and investment management. ValIT and CobiT “provide a full framework and supporting tool set to help managers develop policies to manage

CobiT 5 is the latest version of the business framework for the governance of IT. It has just fi ve principles and seven enablers.

200 INFORMATION GOVERNANCE

business risks and deliver business value while addressing technical issues and meeting control objectives in a structured, methodic way.” 33

ValIT Integrated with CobiT 5

The ValIT framework has been folded into the CobiT 5 framework. 34 For more de- tails, you may download free or acquire publications and operational tools on this and related topics at isaca.org.

Key functions of ValIT include:

■ Defi ne the relationship between IT and the business and those functions in the organization with governance responsibilities;

■ Manage an organization’s portfolio of IT-enabled business investments; ■ Maximize the quality of business cases for IT-enabled business investments

with particular emphasis on the defi nition of key fi nancial indicators, the quantifi cation of “soft” benefi ts and the comprehensive appraisal of the downside risk.

Val IT addresses assumptions, costs, risks and outcomes related to a balanced portfolio of IT-enabled business investments. It also provides benchmarking capability and allows enterprises to exchange experiences on best practices for value management. 35

ITIL

ITIL is a set of process-oriented best practices and guidance originally developed in the United Kingdom to standardize delivery of IT service management. ITIL is applicable to both the private and public sectors and is the “most widely accepted ap- proach to IT service management in the world.” 36 As with other IT governance frame- works, ITIL provides essential guidance for delivering business value through IT, and it “provides guidance to organizations on how to use IT as a tool to facilitate business change, transformation and growth.” 37

ITIL best practices form the foundation for ISO/IEC 20000 (previously BS 15000), the International Service Management Standard for organizational certifi cation and compliance. 38 ITIL 2011 is the latest revision (as of this writing).

CobiT is process-oriented and has been widely adopted as an IT governance framework. ValIT is value-oriented and compatible and complementary with CobiT yet focuses on value delivery.

The Val IT framework has been folded into the COBIT 5 framework.

INFORMATION GOVERNANCE AND INFORMATION TECHNOLOGY FUNCTIONS 201

It consists of fi ve core published volumes that map the IT service cycle in a systematic way:

1. ITIL Service Strategy 2. ITIL Service Design 3. ITIL Service Transition 4. ITIL Service Operation 5. ITIL Continual Service Improvement

ISO 38500

ISO/IEC 38500:2008 is an international standard that provides high-level principles and guidance for senior executives and directors, and those advising them, for the effec- tive and effi cient use of IT. 39 Based primarily on AS 8015, the Australian IT governance standard, it “applies to the governance of management processes” performed at the IT service level, but the guidance assists executives in monitoring IT and ethically discharg- ing their duties with respect to legal and regulatory compliance of IT activities.

The ISO 38500 standard comprises three main sections:

1. Scope, Application and Objectives 2. Framework for Good Corporate Governance of IT 3. Guidance for Corporate Governance of IT

It is largely derived from AS 8015, the guiding principles of which were:

■ Establish responsibilities ■ Plan to best support the organization ■ Acquire validly ■ Ensure performance when required ■ Ensure conformance with rules ■ Ensure respect for human factors

The standard also has relationships with other major ISO standards, and em- braces the same methods and approaches.40

CobiT is process oriented and has been widely adopted as an IT governance framework. ValIT is value oriented and compatible and complementary with CobiT yet focuses on value delivery.

ITIL is the “most widely accepted approach to IT service management in the world.”

202 INFORMATION GOVERNANCE

IG Best Practices for Database Security and Compliance

Although security is a topic primarily for Chapter 11 , it is a technical topic that we address here as well. Best practices have been developed over the past few years and can prevent leakage of structured data from databases and Web services due to SQL injections (where hackers attack SQL databases) and other types of attacks.

An organization and its data needs to be connected to its stakeholders—employees, customers, suppliers, and strategic partners. In this interconnected world that keeps ex- panding (e.g., cloud, mobile devices) proprietary data is exposed to a variety of threats. It is critical to protect the sensitive information assets that reside in your databases. 41

Perimeter security often is easily penetrated. Web apps are vulnerable to attacks such as SQL injection (a favorite among malicious approaches). Hackers also can gain access by spear phishing (very specifi c phishing attacks that include personal informa- tion) to glean employee login credentials in order to get access to databases.

Streamlining your approach to database security by implementing a uniform set of policies and processes helps in compliance efforts and reduces costs. Here are some proven database security best practices:

■ Inventory and document. You must fi rst identify where your sensitive data and databases reside in order to secure them. So a discovery and mapping process must take place. You can begin with staff interviews but also use tools such as data loss prevention to map out data fl ows. Include all locations, includ- ing legacy applications, and intellectual property such as price lists, marketing and strategic plans, product designs, and the like. This inventorying/discovery process must be done on a regular basis with the assistance of automated tools, since the location of data can migrate and change.

■ Assess exposure/weaknesses. Look for security holes, missing updates and patches, and any irregularities on a regular basis, using

standard checklists such as the CIS Database Server Benchmarks and the DISA Security Technical Implementation Guides (STIGs). Do not forget to check OS-level parameters such as fi le privileges for database confi guration fi les and database confi guration options such as roles and permissions, or how many failed logins result in a locked account (these types of database-specifi c checks are typically not performed by network vulnerability assessment scanners).

■ Shore up the database. Based on your evaluation of potential vulnerabilities, take proper steps and also be sure to that used database functions are disabled.

■ Monitor. On a regular basis, monitor and document any confi guration changes, and make sure the “gold” confi guration is stable and unchanged. “Use change auditing tools that compare confi guration snapshots and immediately alert whenever a change is made that affects your security posture.” 42

ISO 38500 is an international standard that provides high-level principles and guidance for senior executives and directors responsible for IT governance.

INFORMATION GOVERNANCE AND INFORMATION TECHNOLOGY FUNCTIONS 203

■ Deploy monitoring/auditing tools . Deploy these tools to immediately detect intrusions or suspicious activity, use your database’s database activity monitoring (DAM) and database auditing tools continuously and in real time. Note any anomalies, such as usually large numbers of records being downloaded even by authorized users—this could indicate, for instance, a rogue employee gathering information. But also higher-level “privileged users—such as database administrators (DBAs), developers and outsourced personnel” must be monitored to comply with certain regulations. Watch for attackers who have gained access through authorized credentials. DAM creates an audit trail generated in real time that can be the forensic smoking gun in investigations after attacks have occurred. Also, monitor the applica- tion layer, as

well-designed DAM solutions associate specifi c database transactions performed by the application with specifi c end-user IDs, in order to deterministically identify individuals violating corporate policies. In ad- dition, combining database auditing information with OS [operating system] and network logs via a security information and event manage- ment . . . system to see everything that a user has done can also provide critical information for forensic investigations.

■ Verify privileged access . In your audit process, periodically review the list of privi-s leged users and entitlement reports to ensure that superusers and those with access to sensitive information are still authorized.

■ Protect sensitive data . Known sensitive data should be encrypted, so that even if attackers gain access, it is unreadable. “File-level encryption at the OS lay- er, combined with granular real-time monitoring and access control at the database layer, is typically accepted as a practical alternative to column-level encryption and a compensating control for Requirement 3.3 of PCI-DSS.” 43

■ Deploy masking. Hide your live production data by masking test data. “Masking is a key database security technology that de-identifi es live production data, replacing it with realistic but fi ctional data that can then be used for testing, training and development purposes, because it is contextually appropriate to the production data it has replaced.”

■ Integrate and automate standardized security processes. To pass compliance audits, you need to show that processes and system are in place to reduce risks and detect potential intrusions, attacks, and unauthorized use. Standardizing and automating these tasks as much as possible helps minimize compliance costs while protecting the organization’s data.

Implementing these best practices will help keep sensitive data in your databases secure.

Identifying sensitive information in your databases and implementing database security best practices help reduce organizational risk and the cost of compliance.

204 INFORMATION GOVERNANCE

Tying It All Together

Multiple frameworks and standards can be applied to the IT process to more effectively govern it and focus the processes on business impact. Beginning with a robust data governance program, organizations can ensure, at the more fundamental level, that the information they are using to base decisions on is clean, reliable, and accurate. Implementing an MDM program will help larger organizations with complex IT operations ensure that they are working with consistent data from a single source. Implementing the CobiT 5 business framework for delivering IT results will help support a more effi cient IT operation and include other major frameworks, standards, and best practices. Leveraging the use of the ISO 38500 standard will help senior executives to better manage and govern IT operations, and employing database security best practices will help guard against outside threats.

■ Focusing on business impact and customizing your IG approach to meet business objectives are key best practices for IG in the IT department.

■ Effective data governance can yield bottom-line benefi ts derived from new insights.

■ Good data governance ensures that downstream negative effects of poor data are avoided and that subsequent reports, analyses, and conclusions are based on reliable, trusted data.

■ Master data management is a key IG process in IT.

■ IT governance seeks to align business objectives with IT strategy to deliver business value.

■ CobiT 5 is the latest version of the business framework for the governance of IT. It has just fi ve principles and seven enablers.

■ CobiT is process oriented and has been widely adopted as an IT governance framework. ValIT is value oriented and compatible and complementary with CobiT yet focuses on value delivery.

■ ValIT is a framework that focuses on delivering IT vale. It is folded into CobiT 5.

■ ITIL is the “most widely accepted approach to IT service management in the world.”

■ ISO 38500 is an international standard that provides high-level principles and guidance for senior executives and directors responsible for IT governance

■ Identifying sensitive information in your databases and implementing data- base security best practices help reduce organizational risk and the cost of compliance.

CHAPTER SUMMARY: KEY POINTS