data quality - related standards

8/6/2019 Data Quality - Related Standards

http://slidepdf.com/reader/full/data-quality-related-standards 1/9

© 2010, Daragh O Brien.

CASTLEBRIDGE ASSOCIATES

Standards Frameworks

and Information QualityExtracted from Chapter 3 of Defining and

Executing an Effective Data Quality Strategy

Daragh O Brien

This extract from my 2008 Industry Report Defining and Executing an Effective Data Quality Strategy

(published by Ark Group) examines the role of Information Quality in relation to a number of, at first

glance, competing strategic governance standards – specifically ISO27002 and COBIT.



Standards Frameworks

Another key driver of Information Quality is the emergence of standards frameworks for a

variety of IT related functions in your Business which either expressly or implicitly require

the quality of information in your organisation to be managed. While Information Quality

may not be the expressed objective of many of these standards, the only effective way to

ensure and assure compliance is to effectively manage Information Quality in your

organisation, if only for a defined information group.

It is also important to remember that while certain standards may be implemented by the IT

function in the organisation, the challenge of managing the quality of the information that

evidences how the organisation meets those standards requires both Business and IT to work

together to ensure that the information meets or exceeds the expectations of the standards and

to ensure compliance with those standards.

In addition, for organisations wrestling with multiple, potentially competing, requirements tocomply with different standards it is valuable to highlight the common thread of requirements

for the control and improvement of Information Quality that can be found in a variety of

standards today. Unfortunately the nature of this report precludes an exhaustive analysis of all

possible relevant standards and their possible Information Quality elements. To that end, I

have selected just two for specific discussion and will make reference to the emergence of

specific International standards for Information Quality practices.

ISO 17799:2005 (aka ISO 27002:2005)

About the Standard

ISO 17799:2005 is an information security standard published by the International

Organization for Standardization (ISO) and the International Electrotechnical Commission

(IEC) and is based on a pre-existing British Standard, BS 7799-1:1999. In July 2007 the ISO

17799:2005 standard was renumbered by the ISO to bring it into line with other related

standards. The current official designation for the standard is ISO 27002:2005 and this is the

reference that will be used throughout this report.

The standard provides „best practice‟ recommendations for Information SecurityManagement across a number of headings:

1. Risk Assessment

2. Security policy - management direction

3. Organization of information security - governance of information security

4. Asset management - inventory and classification of information assets

5. Human resources security - security aspects for employees joining, moving and

leaving an organization

6. Physical and environmental security - protection of the computer facilities

7. Communications and operations management - management of technical security

controls in systems and networks



8. Access control - restriction of access rights to networks, systems, applications,

functions and data

9. Information systems acquisition, development and maintenance - building security

into applications

10. Information security incident management - anticipating and responding appropriately

to information security breaches11. Business continuity management - protecting, maintaining and recovering business-

critical processes and systems

12. Compliance - ensuring conformance with information security policies, standards,

laws and regulations

The Information Quality Perspective

There are distinct overlaps between Information Quality objectives and the guidelines in ISO

27002:2005, particularly with regard to the requirements in Sections 3,4,5,8,9 and 12.

In order to achieve many of the objectives of the Information Security standard, organisations

inevitably need to address the completeness, consistency, timeliness and accuracy of

information about their information assets, systems, users, system access rights etc. In

addition, adequate governance and controls need to be in place to ensure Information

Security. Many of these Governance objectives are complementary to or directly parallel the

Governance requirements for Information Quality.

We will now examine in more detail some of the more salient points of overlap between the

Information Quality Agenda and ISO27002:2005.

Asset Management – Inventory and Classification of Information Assets

ISO 27002:2005 recommends that organisations conduct an inventory and classification of

the information that they manage with a view to ensuring that all information maintains an

appropriate level of protection.

If approached from a pure “IT” perspective, these inventories of Information Assets risk becoming focused purely on the question of what servers and systems do you have in your

organisation and who uses them. This may not address adequately the questions of what

information is held on those systems, where it comes from, what it is used for and who uses

it.

As we will see later in this paper when we look in detail at some methodologies for

Information Quality, understanding the important Information „groups‟ that your organisationmanages, the key Information Assets in your organisation, is an important first step in

Information Quality improvement.

From an Information Quality perspective, the inventory and classification of Information

Assets starts with the question “What are the things we need to know about to run the

Business?” From there you can drill into identifying where your Customer data resides in theorganisation (is it one system or multiple systems), where your Product information is

created, stored and who can access it etc.



It could be said that the deliverable of this type of Inventory would be to answer the Row

1/Column 1 requirements of the Zachman Framework and provide key inputs for answers to

some of the other Row and Column intersections.

From an IT Security perspective, the objective of conducting the inventory of Information

Assets is to allow you to identify and prioritise what information needs to be protected andwhere. Once you understand where the information is and how it could be accessed or

uncontrolled, then you can assess the costs and risks of Information Security better.

From an Information Quality perspective, the same information can be used to identify which

information groups (e.g. „Customer Information‟, „Product Information‟, „Order -to-Cash

Process Information‟) your organisation is managing, where that information is held andwhich information groups are likely to carry the greatest cost and risk of non-quality

information.

Human Resources Security Aspects and Access Control

Under ISO 27002:2005, there are a series of guidelines around the Information Security

aspects for employees joining the organisation, leaving the organisation or being moved

around within the organisation.

Ultimately, this raises Information Quality issues such as:

Correct spelling of names or format of names

Timeliness of Staff Number information (where that is required to issue logins etc)

Timely notification of employee hires fires and promotions/transfers so that systemaccess rights can be created, amended or deleted as required.

From an Information Quality perspective, the Security expectation is a key InformationConsumer expectation that needs to be met with Human Resources information. Security

Officers in organisations need to know that when they elect to kill the access rights to

systems for employee “Daragh O Brien” on his departure that that employee doesn‟t alsohave logins or remote access credentials under the names “Darragh O‟Brien”, “Dara

O‟Brien”, “Darach O‟Brien” or “Dara Ó Briain” (all of which are perfectly valid alternatespellings of my name).

Likewise, employees are entitled to expect that their systems access rights will not be

curtailed because the HR department spelled their name incorrectly and it didn‟t match thename associated with the system login. For example, if you have a team member called

Rachael (please note the spelling). You had submitted system access requests using thecorrect spelling of her name. Would it impact your team‟s productivity her access to a keysystem required for her job was curtailed because HR had misspelled her name as “Rachel”and as such there was no „match‟ on a straight character for character clash between the

particular system access lists and the HR „Active employees‟ list? Would it be particularlyirksome if it transpired that Rachael had been trying to get the spelling of her name corrected

on the HR system but it had not been actioned?

By ensuring appropriate controls on the quality of Information in HR processes, security of

information can be assured in a manner that reduces the impacts of errors on employee

productivity.



Compliance

ISO 27002:2005 contains some best practice guidelines for compliance with other regulations

etc. As already identified, Compliance is a key driver for the renewed interest in Information

Quality amongst organisations. Whether it is a need to comply with the “Accuracy”requirements of European Data Protection regulations, or with Sarbanes-Oxley or Basel II, as

we have already discussed there is a clear role for quality management of Information inachieving Compliance objectives.

Conclusion

There are clear overlaps and parallels between the drivers for Quality Information and the

practices necessary to meet the standards required by ISO 27002:2005, formerly known as

ISO 17799.

While some organisations may view their Information Security objectives as being distinct

from their Information Quality requirements, in reality there are sufficiently strong inter-dependencies between the two sets of objectives to suggest that they are at worst parallel

programmes which could benefit from sharing tools, techniques and experiences. Application

of Information Quality Management principles and methodologies to ISO 27002:2005

compliance initiatives will improve the quality of the deliverables and will help to better

ensure and assure the security of your information. Likewise, approaching Information

Quality strategy with an understanding and awareness of the role of Information Security as a

stakeholder and potential ally will likewise benefit the execution of the Information Quality

strategy, not least because it will not appear to be yet another „fad‟ programme to distract people from their „real‟ jobs.

COBIT FrameworkThe COBIT Framework (Control O bjectives for Information and related Technology) is a set

of best practices for information technology management created by the Information Systems

Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). COBIT

provides managers, auditors, and IT users with a set of generally accepted measures,

indicators, processes and best practices to assist them in maximizing the benefits derived

through the use of information technology and developing appropriate IT governance and

control in a company.

The COBIT framework is built on four main strategic domains:

Plan and Organise

Acquire and Implement

Delivery and Support

Monitor and Evaluate

Within each of these domains there are a sub-set of high level control objectives to be

addressed. Each of these control objectives addresses a specific component of Information or

Information Technology management which need to be addressed in some form to ensure

adequate and effective control of Information and its related Technologies. These high level

control objectives are illustrated below.



Table 1: COBIT Framework High Level Control Objectives

Plan & Organise

PO1 Define a Strategic IT Plan and direction

PO2 Define the Information Architecture

PO3 Determine Technological Direction

PO4 Define the IT Processes, Organisation and RelationshipsPO5 Manage the IT Investment

PO6 Communicate Management Aims and Direction

PO7 Manage IT Human Resources

PO8 Manage Quality

PO9 Assess and Manage IT Risks

PO10 Manage Projects

Acquire and Implement

AI1 Identify Automated Solutions

AI2 Acquire and Maintain Application SoftwareAI3 Acquire and Maintain Technology Infrastructure

AI4 Enable Operation and Use

AI5 Procure IT Resources

AI6 Manage Changes

AI7 Install and Accredit Solutions and Changes

Delivery & Support

DS1 Define and Manage Service Levels

DS2 Manage Third-party Services

DS3 Manage Performance and Capacity

DS4 Ensure Continuous ServiceDS5 Ensure Systems Security

DS6 Identify and Allocate Costs

DS7 Educate and Train Users

DS8 Manage Service Desk and Incidents

DS9 Manage the Configuration

DS10 Manage Problems

DS11 Manage Data

DS12 Manage the Physical Environment

DS13 Manage Operations

Monitor & Evaluate

ME1 Monitor and Evaluate (IT) Processes

ME2 Monitor and Evaluate Internal Control

ME3 Ensure Regulatory Compliance

ME4 Provide IT Governance

Much like ISO 27002:2005, the COBIT Framework is not a standard per se but is a defined

set of recommended best practices to achieve high standards in the control and operation of

Information and Information Technology. Also, COBIT and ISO 27002:2005 are not

incompatible; rather they are complementary Best Practice frameworks, with the ISO

standard focussing on the specific challenges of securing information, which relates directlyto the COBIT DS5 objectives (Ensure System Security).



The Information Quality Perspective

From the perspective of Information Quality, it is interesting to note that within the name of

the framework there is a clear distinction between Information (the „asset‟ being managed)and “related Technology” (the tools used to manage the Asset). A number of commentators

have highlighted that, while COBIT only explicitly mentions information quality as one item

in the midst of a number of Data Management recommendations published with the

Framework, the implication is that if you do not address data quality then you will not

achieve your control objectives. In the words of Cass Brewer of the ITCi:

“CobiT’s per t reference to data quality at level 0 in its maturity model essentially says that

without data quality you’re nowhere, whatever your other data management controls.”1

Looking at the various control objectives within COBIT, it is clear that a number of them are

dependent on good quality information (or at least an understanding of the poor quality of

your information) in order for your organisation to achieve them. I have selected some of theHigh Level Control objectives and have mapped the Information Quality component of each

of them in Table 2 below. This mapping is not exhaustive and further correlations can be

found between the COBIT Framework and Information Quality Management.

Table 2: Example mapping of COBIT Control objectives to Information Quality

Control

Objective

Information Quality Component

PO8(Manage Quality)

This is self-explanatory. In order to manage the quality of your IT processes you need

to manage the quality of the information that is consumed and produced by those

processes.

PO10

(ManageProjects)

As we have already seen from our discussion of the failure rates of Data Migrations,

understanding the level of information quality in your organisation and actively planning how to manage the Project (and operational) risks associated with it is a key

challenge for most organisations.

AI1(Identify

Automated

Solutions)

Automation of a process which is either accepting or creating poor quality

information will result either in a breakdown of the automated solution or a backlog

of exceptions which will need to be manually addressed.

Understanding the levels of Information Quality and the root causes of non-quality

allows for better implementation of appropriate automated solutions.

DS11(Manage Data)

In managing Data it is appropriate to manage the quality of that data.

ME3

(EnsureRegulatory

Compliance)

In order to ensure Regulatory Compliance, in many cases organisations will produce

compliance reports and reporting on the operation of controls that seek to identify

defects in their information that might give rise to a Regulatory breach (e.g.

customers being billed for services they do not have). Organisations that understand

this to be a form of Information Quality monitoring often move to proactive prevention of Regulatory breach as opposed to reactive „scrap and rework‟.

Conclusion

While the COBIT framework does not expressly mandate the management of Information

Quality, the reality is that to achieve many of the High Level Control Objective set out by the

1Brewer, Cass, Dissociative Disorder: Compliance, Data Quality, and Cognitive Dissonance,

http://www.tdwi.org/Publications/display.aspx?id=8125, 2007/09/29, last accessed 2007/12/29 @13:46 GMT.



Framework, organisations do need to address their management of the quality of their

information.

As we will see when we look at some of the methodologies for Information Quality

Management, there are also overlaps between many of the Control objectives and key steps

that are recommended by some „gurus‟ to develop a robust Information Quality Managementcapability in your organisation.

Emerging ISO Standards for Information Quality

The ISO has commenced work on a new standards set for Information/Data Quality under theauspices of the ISO/TC184/SC4 Standards Committee. This committee has authorized the

WG13 (Working Group 13) that is developing these standards. Currently the draft standard is

ISO 8000, a standard for industrial data quality. The IAIDQ (International Association for

Information & Data Quality), the leading professional organisation for Information Quality

Practitioners, is a Category A Liaison to the ISO/TC184/SC4 committee.

Work is continuing on this standard and readers should check the ISO website (www.iso.org)

for further information.

Conclusion

Many of the standards selected for discussion in this paper are primarily IT focussed.

However, this should not be taken to mean that Information Quality is an IT issue. This is far

from the case. Indeed, one of the leading thought leaders in the field Tom Redman has this

advice for IT professionals tasked with improving Information Quality:

“ If you are in IT and you are tasked with fixing data quality in your organisation, get out. Get

out of IT and go to work in the Business because that is where you can make the necessarychanges.”2

What this highlights is that for the Enterprise, the organisation as a whole, to achieve its

objectives of Compliance through the pursuit of various standards or frameworks then

Business and IT need to work together to address the issues raised by poor quality

Information and poor Information Quality Management. This requires more than just

recognition within the Information Technology strategic plan that Information Quality is an

important element of achieving these high standards and high level Control objectives. It

requires an acceptance within the Business that to achieve these improvements they must lead

the change.

While there are a number of different standards frameworks and objects that might be met,

ultimately there is a common „foundation‟ that links them and that is the need to ensure goodquality information in the operation of Business (and IT) processes.

2Response given in answer to a question about the ability of IT to lead Information Quality change at the 2007

IDQ Conference in Las Vegas.



Figure 1: Information Quality as a key Foundation discipline

Organisations that recognise the significant foundational role of good quality Information in

the context of other Best Practice frameworks or regulatory requirements that they are

seeking to meet will inevitably achieve improved synergy between the requirements of each

standard and framework. Furthermore, compliance with these frameworks and standards will

be seen as a value-adding function as the quality of information in the organisation improves,

reducing costs associated with process failure, rework and compliance risks, and improving

profitability in the organisation.

data quality - related standards

Documents