Upload
truongnga
View
216
Download
0
Embed Size (px)
Citation preview
8/29/2016
1
Have You Seen My Data?Auditing Data Governance
Holger Reusch MBA, CFE, CISA
Audit Advisor, University of Calgary
Agenda• Data Governance – The What, Who, How, and Why• Planning a Data Governance Audit• Conducting a Data Governance Audit• Recent U of C Data Governance Audits
8/29/2016
2
DataGovernanceThe What, Who,How, and Why
Freeimages.com/pcst | Used with permission
What is Data Governance?• The specification of decision rights and an accountability
framework to encourage desirable behavior in the valuation,creation, storage, use, archival, and deletion of information.
• It includes the processes, roles, standards, and metrics thatensure the effective and efficient use of information in enablingan organization to achieve its goals.
Source: Gartner Inc.
8/29/2016
3
Why is Data Governance necessary?BUSINESS BENEFITS• Consistent data definition for
reporting and decision making• Clear responsibilities• Structured data/metadata• Analytics enablement• Competitive advantage (fast
action based on patterns &trends)
RISK MANAGEMENT• Operational uncertainty• Security & privacy• Audit & compliance
• Human subjects• Intellectual property• Research data management• Records retention• Custody transfer
Source: Educause Center for Analysis and Research
Data Governance Framework
Outcomes
• Data RiskManagement
• Compliance• Value Creation
Enablers
• OrganizationalStructure &Awareness
• Policy• Stewardship
CoreDisciplines
• Data QualityManagement
• InformationLife-CycleManagement
• InformationSecurity &Privacy
SupportingDisciplines
• DataArchitecture
• Classification &Metadata
• AuditInformation,Logging &Reporting
require
enhance
support
Source: IBM
8/29/2016
4
Role Description ResponsibilitiesDataTrustee
Senior official who plays a planning and policy-making role.
Oversee establishment of data governanceand assign responsibility and accountability.
DataSteward
Director-level official who oversees anoperation that collects, houses and releasesdata.
Implement a data governance system withintheir department.
DataManager
Involved in day-to-day collection and releaseof data
Departmental SME function; duties vary
DataExpert
Involved in managing business processes andrules involving data
Business analyst function; duties vary bydepartment
Data User Accesses data in discharging duties or as a partof their role in the university
Protect own access privileges;correctly use data
Typical Data Governance Roles
Source: University Business Executive Roundtable
Data Quality Management: The Challenges
MultipleSources
Inconsistency
Duplication
Ambiguity
Repurposing
ProcessFailures
Source: Knowledge Integrity Inc.
8/29/2016
5
Data Quality Management Processes
Source: Knowledge Integrity Inc.
Information Life-Cycle Management
Source: UF Health Science Center Libraries
StudyConcept
DataDistribution
DataCollection
DataProcessing
DataAnalysis
DataArchiving
DataDiscovery
DataAnalysis
Repurposing
8/29/2016
6
Information Security & Privacy Challenges• Secure Data Retention & Disposal• Identity Theft & Phishing• International Travel• Device Security: Fixed & Mobile• Network Security• Identity and Access Management• Cloud Security
Selected DG/DM FrameworksDAMA DMBOK (Data Management Body of Knowledge)
• Standard view of DM functions, terminology and best practices.• Not detailing specific methods and techniques.
Proprietary DG Frameworks• Various unofficial standards exist: IBM, Data Governance Institute (DGI), Stanford, …
COSO Internal Control Framework• Apply by contextualizing Internal Control terms to DG/DM requirements
ISO 270xx – Information Security Management• Managing the security of information assets
ISACA COBIT (Control Objectives for Information and Related Technology)• Generic governance framework and toolset for control requirements, technical issues and risks
ISO 8000 – International Data Quality Standard• Under development; Currently covering Master Data exchange & quality
8/29/2016
7
Planning a DataGovernanceAudit
Freeimages.com/eggo | Used with permission
Audit scope and approach needs to reflect thematurity of the organization
Audit Scope& Approach
DGMaturity
Sweetclipart.com | Used with permission (CC BY-NC-SA 3.0)
8/29/2016
8
Data Governance Maturity
Fragmented Holistic
IT d
riven
Bus
ines
s dr
iven
Unaware(No activity)
Initial(Ad hoc)
Repeatable(Pilot)
Defined(Project)
Managed(Program)
Optimized(Function)
Source: InformaticaU
se b
oth
dim
ensio
ns to
dete
rmin
e ov
eral
l Dat
aGo
vern
ance
mat
urity
Data Governance Maturity Levels• Elements of practice in the category may be present but are localized in individual departments and are for the most part performed
on an ad hoc basis
1 Initial1 Initial
• Elements of practice are for the most part defined at an enterprise level but implementation is not complete.
2 Managed2 Managed
• Elements in practice are defined and implemented at an enterprise level but no formal processes are established to ensurecontinuous improvement.
3 Defined3 Defined
• Elements of practice are defined and implemented across the enterprise and repeatable processes and metrics are used to monitorand track progress to ensure continuous improvement.
4 Quantitatively Managed4 Quantitatively Managed
• Elements of practice are implemented, monitored and used proactively across the enterprise to reduce risk, continuously improvedata governance practices and to gain a competitive advantage.
5 Optimized5 Optimized
Source: IBM
8/29/2016
9
Data Quality Assessment
Source: Knowledge Integrity Inc.
Presentanomalies
VerifycriticalityPrioritize
issuesSuggest action
itemsReview next
stepsDevelop action
plan
Review
Reviewanomalies
Describeissues
Prepare report
Synthesize
ExtractProfile
AnalyzeDrill down
Note findings
Analyze
List datasetsCritical data
elementsProposedmeasures
Prepare DQtools
Prepare
Review sysdocs
Reviewcurrent issues
Collatebusinessimpacts
BusinessProcess
Select processAssess scopeAcquire docsIdentify bus
impactsAssess existing
DQ processProject Plan
Plan
Add to scope ifappropriate
Use the DG Framework to define Audit Scope andObjectives
Outcomes CoreDisciplines
SupportingDisciplinesrequire support
enhance
Enablers
Use to specifyobjectives
Use to outlinescope
Add to scope ifappropriate
8/29/2016
10
Audit Scope & DG Core Disciplines
• Data Quality Management• Completeness• Accuracy• Appropriateness
• Information Life-CycleManagement
• Policies• Control Processes
• Information Security & Privacy• Identity & Access Management• Change Management• Service Management• Asset Management• Business Continuity
Management
Performing aData GovernanceAudit
Pitfalls &Best Practices Freeimages.com/maybeknot | Used with permission
8/29/2016
11
Pitfalls
• Lack of understanding• Not sold on DG value proposition
Lack of executive supportLack of executive support
• Scoping error• Maturity mismatch
Boiling the oceanBoiling the ocean
• Different parts of the organization at different levels• Resource and skill availability
One size fits all approachOne size fits all approach
• “Standard spam”
Recommendations not matching maturity levelRecommendations not matching maturity level
Best Practices (1) – Communicate vision and buildbusiness case
• Relate to organizationalimperatives
• Use DG Framework objectivesto illustrate benefits
• Use DG Framework to buildcause-effect narratives
• Relate DG to businessprocesses
• Examples: On/Offboarding,Procurement, A/P
Freeimages.com/createsima | Used with permission
8/29/2016
12
Best Practices (2) – Select the right people
AppropriateDG/DM/DQ skills?
Staffing levelsappropriate?
Peopleengaged/motivated?
• Work withmanagement as earlyas possible if this is anissue
Conductingthe audit
engagement
Conductingthe audit
engagement
• Recommend changesif found deficient
PerformingData
Governancework
PerformingData
Governancework
Best Practices (3) – Policies, processes and tools
• Recommend policies fittingthe organization
• Organizational imperatives• Current & desired DG maturity• Change Management
• IT Change Management• Organizational Chage
Management
• Choose tools/architecturefitting the organization
• Select subset from frameworkor standard
• Think crawl-walk-run
8/29/2016
13
Best Practices (4) – Start as a project, run as aprogram
Exec sponsor & support
Project/program management
Define milestones/KPIs to track progress
Business value metrics for executive management
Operational data quality metrics for data stewards
Recent U of CData GovernanceAudits
University of Calgary | Used with permission
8/29/2016
14
Recent Data Governance AuditsInstitutional Metrics Process• Frameworks used:
• COSO, IBM DG, Oracle DG
• Selected Findings:• Inconsistent content and
context of source data• No process for data life-cycle
management• No data quality management
process
Enterprise Data Warehouse• Frameworks used:
• DAMA DMBOK, IBM DG
• Selected Findings:• Lack of data dictionary• No training for Data Users• No DG stakeholders appointed• Inconsistent access
management processes
Questions?Holger Reusch MBA, CFE, CISA
Audit Advisor, University of [email protected] | 403-210-9427