Data Quality - Related Standards
Content
CASTLEBRIDGE ASSOCIATES
Standards Frameworks and Information Quality
Extracted from Chapter 3 of Defining and Executing an Effective Data Quality Strategy
Daragh O Brien
This extract from my 2008 Industry Report Defining and Executing an Effective Data Quality Strategy (published by Ark Group) examines the role of Information Quality in relation to a number of, at first glance, competing strategic governance standards – specifically ISO27002 and COBIT.
© 2010, Daragh O Brien.
Standards Frameworks
Another key driver of Information Quality is the emergence of standards frameworks for a variety of IT related functions in your Business which either expressly or implicitly require the quality of information in your organisation to be managed. While Information Quality may not be the expressed objective of many of these standards, the only effective way to ensure and assure compliance is to effectively manage Information Quality in your organisation, if only for a defined information group. It is also important to remember that while certain standards may be implemented by the IT function in the organisation, the challenge of managing the quality of the information that evidences how the organisation meets those standards requires both Business and IT to work together to ensure that the information meets or exceeds the expectations of the standards and to ensure compliance with those standards. In addition, for organisations wrestling with multiple, potentially competing, requirements to comply with different standards it is valuable to highlight the common thread of requirements for the control and improvement of Information Quality that can be found in a variety of standards today. Unfortunately the nature of this report precludes an exhaustive analysis of all possible relevant standards and their possible Information Quality elements. To that end, I have selected just two for specific discussion and will make reference to the emergence of specific International standards for Information Quality practices.
ISO 17799:2005 (aka ISO 27002:2005)
About the Standard
ISO 17799:2005 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and is based on a pre-existing British Standard, BS 7799-1:1999. In July 2007 the ISO 17799:2005 standard was renumbered by the ISO to bring it into line with other related standards. The current official designation for the standard is ISO 27002:2005 and this is the reference that will be used throughout this report. The standard provides „best practice‟ recommendations for Information Security Management across a number of headings: 1. 2. 3. 4. 5. Risk Assessment Security policy - management direction Organization of information security - governance of information security Asset management - inventory and classification of information assets Human resources security - security aspects for employees joining, moving and leaving an organization 6. Physical and environmental security - protection of the computer facilities 7. Communications and operations management - management of technical security controls in systems and networks
8. Access control - restriction of access rights to networks, systems, applications, functions and data 9. Information systems acquisition, development and maintenance - building security into applications 10. Information security incident management - anticipating and responding appropriately to information security breaches 11. Business continuity management - protecting, maintaining and recovering businesscritical processes and systems 12. Compliance - ensuring conformance with information security policies, standards, laws and regulations
The Information Quality Perspective
There are distinct overlaps between Information Quality objectives and the guidelines in ISO 27002:2005, particularly with regard to the requirements in Sections 3,4,5,8,9 and 12. In order to achieve many of the objectives of the Information Security standard, organisations inevitably need to address the completeness, consistency, timeliness and accuracy of information about their information assets, systems, users, system access rights etc. In addition, adequate governance and controls need to be in place to ensure Information Security. Many of these Governance objectives are complementary to or directly parallel the Governance requirements for Information Quality. We will now examine in more detail some of the more salient points of overlap between the Information Quality Agenda and ISO27002:2005.
Asset Management – Inventory and Classification of Information Assets
ISO 27002:2005 recommends that organisations conduct an inventory and classification of the information that they manage with a view to ensuring that all information maintains an appropriate level of protection. If approached from a pure “IT” perspective, these inventories of Information Assets risk becoming focused purely on the question of what servers and systems do you have in your organisation and who uses them. This may not address adequately the questions of what information is held on those systems, where it comes from, what it is used for and who uses it. As we will see later in this paper when we look in detail at some methodologies for Information Quality, understanding the important Information „groups‟ that your organisation manages, the key Information Assets in your organisation, is an important first step in Information Quality improvement. From an Information Quality perspective, the inventory and classification of Information Assets starts with the question “What are the things we need to know about to run the Business?” From there you can drill into identifying where your Customer data resides in the organisation (is it one system or multiple systems), where your Product information is created, stored and who can access it etc.
It could be said that the deliverable of this type of Inventory would be to answer the Row 1/Column 1 requirements of the Zachman Framework and provide key inputs for answers to some of the other Row and Column intersections. From an IT Security perspective, the objective of conducting the inventory of Information Assets is to allow you to identify and prioritise what information needs to be protected and where. Once you understand where the information is and how it could be accessed or uncontrolled, then you can assess the costs and risks of Information Security better. From an Information Quality perspective, the same information can be used to identify which information groups (e.g. „Customer Information‟, „Product Information‟, „Order-to-Cash Process Information‟) your organisation is managing, where that information is held and which information groups are likely to carry the greatest cost and risk of non-quality information.
Human Resources Security Aspects and Access Control
Under ISO 27002:2005, there are a series of guidelines around the Information Security aspects for employees joining the organisation, leaving the organisation or being moved around within the organisation. Ultimately, this raises Information Quality issues such as: Correct spelling of names or format of names Timeliness of Staff Number information (where that is required to issue logins etc) Timely notification of employee hires fires and promotions/transfers so that system access rights can be created, amended or deleted as required. From an Information Quality perspective, the Security expectation is a key Information Consumer expectation that needs to be met with Human Resources information. Security Officers in organisations need to know that when they elect to kill the access rights to systems for employee “Daragh O Brien” on his departure that that employee doesn‟t also have logins or remote access credentials under the names “Darragh O‟Brien”, “Dara O‟Brien”, “Darach O‟Brien” or “Dara Ó Briain” (all of which are perfectly valid alternate spellings of my name). Likewise, employees are entitled to expect that their systems access rights will not be curtailed because the HR department spelled their name incorrectly and it didn‟t match the name associated with the system login. For example, if you have a team member called Rachael (please note the spelling). You had submitted system access requests using the correct spelling of her name. Would it impact your team‟s productivity her access to a key system required for her job was curtailed because HR had misspelled her name as “Rachel” and as such there was no „match‟ on a straight character for character clash between the particular system access lists and the HR „Active employees‟ list? Would it be particularly irksome if it transpired that Rachael had been trying to get the spelling of her name corrected on the HR system but it had not been actioned? By ensuring appropriate controls on the quality of Information in HR processes, security of information can be assured in a manner that reduces the impacts of errors on employee productivity.
Compliance
ISO 27002:2005 contains some best practice guidelines for compliance with other regulations etc. As already identified, Compliance is a key driver for the renewed interest in Information Quality amongst organisations. Whether it is a need to comply with the “Accuracy” requirements of European Data Protection regulations, or with Sarbanes-Oxley or Basel II, as we have already discussed there is a clear role for quality management of Information in achieving Compliance objectives.
Conclusion
There are clear overlaps and parallels between the drivers for Quality Information and the practices necessary to meet the standards required by ISO 27002:2005, formerly known as ISO 17799. While some organisations may view their Information Security objectives as being distinct from their Information Quality requirements, in reality there are sufficiently strong interdependencies between the two sets of objectives to suggest that they are at worst parallel programmes which could benefit from sharing tools, techniques and experiences. Application of Information Quality Management principles and methodologies to ISO 27002:2005 compliance initiatives will improve the quality of the deliverables and will help to better ensure and assure the security of your information. Likewise, approaching Information Quality strategy with an understanding and awareness of the role of Information Security as a stakeholder and potential ally will likewise benefit the execution of the Information Quality strategy, not least because it will not appear to be yet another „fad‟ programme to distract people from their „real‟ jobs.
COBIT Framework
The COBIT Framework (Control Objectives for Information and related Technology) is a set of best practices for information technology management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company. The COBIT framework is built on four main strategic domains: Plan and Organise Acquire and Implement Delivery and Support Monitor and Evaluate
Within each of these domains there are a sub-set of high level control objectives to be addressed. Each of these control objectives addresses a specific component of Information or Information Technology management which need to be addressed in some form to ensure adequate and effective control of Information and its related Technologies. These high level control objectives are illustrated below.
Table 1: COBIT Framework High Level Control Objectives
Plan & Organise PO1 Define a Strategic IT Plan and direction PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organisation and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects Acquire and Implement AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes Delivery & Support DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations Monitor & Evaluate ME1 Monitor and Evaluate (IT) Processes ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance Much like ISO 27002:2005, the COBIT Framework is not a standard per se but is a defined set of recommended best practices to achieve high standards in the control and operation of Information and Information Technology. Also, COBIT and ISO 27002:2005 are not incompatible; rather they are complementary Best Practice frameworks, with the ISO standard focussing on the specific challenges of securing information, which relates directly to the COBIT DS5 objectives (Ensure System Security).
The Information Quality Perspective
From the perspective of Information Quality, it is interesting to note that within the name of the framework there is a clear distinction between Information (the „asset‟ being managed) and “related Technology” (the tools used to manage the Asset). A number of commentators have highlighted that, while COBIT only explicitly mentions information quality as one item in the midst of a number of Data Management recommendations published with the Framework, the implication is that if you do not address data quality then you will not achieve your control objectives. In the words of Cass Brewer of the ITCi: “CobiT’s pert reference to data quality at level 0 in its maturity model essentially says that without data quality you’re nowhere, whatever your other data management controls.”1 Looking at the various control objectives within COBIT, it is clear that a number of them are dependent on good quality information (or at least an understanding of the poor quality of your information) in order for your organisation to achieve them. I have selected some of the High Level Control objectives and have mapped the Information Quality component of each of them in Table 2 below. This mapping is not exhaustive and further correlations can be found between the COBIT Framework and Information Quality Management.
Table 2: Example mapping of COBIT Control objectives to Information Quality
Control Objective PO8
(Manage Quality)
Information Quality Component
This is self-explanatory. In order to manage the quality of your IT processes you need to manage the quality of the information that is consumed and produced by those processes. As we have already seen from our discussion of the failure rates of Data Migrations, understanding the level of information quality in your organisation and actively planning how to manage the Project (and operational) risks associated with it is a key challenge for most organisations. Automation of a process which is either accepting or creating poor quality information will result either in a breakdown of the automated solution or a backlog of exceptions which will need to be manually addressed. Understanding the levels of Information Quality and the root causes of non-quality allows for better implementation of appropriate automated solutions. In managing Data it is appropriate to manage the quality of that data. In order to ensure Regulatory Compliance, in many cases organisations will produce compliance reports and reporting on the operation of controls that seek to identify defects in their information that might give rise to a Regulatory breach (e.g. customers being billed for services they do not have). Organisations that understand this to be a form of Information Quality monitoring often move to proactive prevention of Regulatory breach as opposed to reactive „scrap and rework‟.
PO10
(Manage Projects)
AI1
(Identify Automated Solutions)
DS11
(Manage Data)
ME3
(Ensure Regulatory Compliance)
Conclusion
While the COBIT framework does not expressly mandate the management of Information Quality, the reality is that to achieve many of the High Level Control Objective set out by the
1
Brewer, Cass, Dissociative Disorder: Compliance, Data Quality, and Cognitive Dissonance, http://www.tdwi.org/Publications/display.aspx?id=8125, 2007/09/29, last accessed 2007/12/29 @13:46 GMT.
Framework, organisations do need to address their management of the quality of their information. As we will see when we look at some of the methodologies for Information Quality Management, there are also overlaps between many of the Control objectives and key steps that are recommended by some „gurus‟ to develop a robust Information Quality Management capability in your organisation.
Emerging ISO Standards for Information Quality
The ISO has commenced work on a new standards set for Information/Data Quality under the auspices of the ISO/TC184/SC4 Standards Committee. This committee has authorized the WG13 (Working Group 13) that is developing these standards. Currently the draft standard is ISO 8000, a standard for industrial data quality. The IAIDQ (International Association for Information & Data Quality), the leading professional organisation for Information Quality Practitioners, is a Category A Liaison to the ISO/TC184/SC4 committee. Work is continuing on this standard and readers should check the ISO website (www.iso.org) for further information.
Conclusion
Many of the standards selected for discussion in this paper are primarily IT focussed. However, this should not be taken to mean that Information Quality is an IT issue. This is far from the case. Indeed, one of the leading thought leaders in the field Tom Redman has this advice for IT professionals tasked with improving Information Quality: “If you are in IT and you are tasked with fixing data quality in your organisation, get out. Get out of IT and go to work in the Business because that is where you can make the necessary changes.”2 What this highlights is that for the Enterprise, the organisation as a whole, to achieve its objectives of Compliance through the pursuit of various standards or frameworks then Business and IT need to work together to address the issues raised by poor quality Information and poor Information Quality Management. This requires more than just recognition within the Information Technology strategic plan that Information Quality is an important element of achieving these high standards and high level Control objectives. It requires an acceptance within the Business that to achieve these improvements they must lead the change. While there are a number of different standards frameworks and objects that might be met, ultimately there is a common „foundation‟ that links them and that is the need to ensure good quality information in the operation of Business (and IT) processes.
2
Response given in answer to a question about the ability of IT to lead Information Quality change at the 2007 IDQ Conference in Las Vegas.
Figure 1: Information Quality as a key Foundation discipline
Organisations that recognise the significant foundational role of good quality Information in the context of other Best Practice frameworks or regulatory requirements that they are seeking to meet will inevitably achieve improved synergy between the requirements of each standard and framework. Furthermore, compliance with these frameworks and standards will be seen as a value-adding function as the quality of information in the organisation improves, reducing costs associated with process failure, rework and compliance risks, and improving profitability in the organisation.
Standards Frameworks and Information Quality
Extracted from Chapter 3 of Defining and Executing an Effective Data Quality Strategy
Daragh O Brien
This extract from my 2008 Industry Report Defining and Executing an Effective Data Quality Strategy (published by Ark Group) examines the role of Information Quality in relation to a number of, at first glance, competing strategic governance standards – specifically ISO27002 and COBIT.
© 2010, Daragh O Brien.
Standards Frameworks
Another key driver of Information Quality is the emergence of standards frameworks for a variety of IT related functions in your Business which either expressly or implicitly require the quality of information in your organisation to be managed. While Information Quality may not be the expressed objective of many of these standards, the only effective way to ensure and assure compliance is to effectively manage Information Quality in your organisation, if only for a defined information group. It is also important to remember that while certain standards may be implemented by the IT function in the organisation, the challenge of managing the quality of the information that evidences how the organisation meets those standards requires both Business and IT to work together to ensure that the information meets or exceeds the expectations of the standards and to ensure compliance with those standards. In addition, for organisations wrestling with multiple, potentially competing, requirements to comply with different standards it is valuable to highlight the common thread of requirements for the control and improvement of Information Quality that can be found in a variety of standards today. Unfortunately the nature of this report precludes an exhaustive analysis of all possible relevant standards and their possible Information Quality elements. To that end, I have selected just two for specific discussion and will make reference to the emergence of specific International standards for Information Quality practices.
ISO 17799:2005 (aka ISO 27002:2005)
About the Standard
ISO 17799:2005 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and is based on a pre-existing British Standard, BS 7799-1:1999. In July 2007 the ISO 17799:2005 standard was renumbered by the ISO to bring it into line with other related standards. The current official designation for the standard is ISO 27002:2005 and this is the reference that will be used throughout this report. The standard provides „best practice‟ recommendations for Information Security Management across a number of headings: 1. 2. 3. 4. 5. Risk Assessment Security policy - management direction Organization of information security - governance of information security Asset management - inventory and classification of information assets Human resources security - security aspects for employees joining, moving and leaving an organization 6. Physical and environmental security - protection of the computer facilities 7. Communications and operations management - management of technical security controls in systems and networks
8. Access control - restriction of access rights to networks, systems, applications, functions and data 9. Information systems acquisition, development and maintenance - building security into applications 10. Information security incident management - anticipating and responding appropriately to information security breaches 11. Business continuity management - protecting, maintaining and recovering businesscritical processes and systems 12. Compliance - ensuring conformance with information security policies, standards, laws and regulations
The Information Quality Perspective
There are distinct overlaps between Information Quality objectives and the guidelines in ISO 27002:2005, particularly with regard to the requirements in Sections 3,4,5,8,9 and 12. In order to achieve many of the objectives of the Information Security standard, organisations inevitably need to address the completeness, consistency, timeliness and accuracy of information about their information assets, systems, users, system access rights etc. In addition, adequate governance and controls need to be in place to ensure Information Security. Many of these Governance objectives are complementary to or directly parallel the Governance requirements for Information Quality. We will now examine in more detail some of the more salient points of overlap between the Information Quality Agenda and ISO27002:2005.
Asset Management – Inventory and Classification of Information Assets
ISO 27002:2005 recommends that organisations conduct an inventory and classification of the information that they manage with a view to ensuring that all information maintains an appropriate level of protection. If approached from a pure “IT” perspective, these inventories of Information Assets risk becoming focused purely on the question of what servers and systems do you have in your organisation and who uses them. This may not address adequately the questions of what information is held on those systems, where it comes from, what it is used for and who uses it. As we will see later in this paper when we look in detail at some methodologies for Information Quality, understanding the important Information „groups‟ that your organisation manages, the key Information Assets in your organisation, is an important first step in Information Quality improvement. From an Information Quality perspective, the inventory and classification of Information Assets starts with the question “What are the things we need to know about to run the Business?” From there you can drill into identifying where your Customer data resides in the organisation (is it one system or multiple systems), where your Product information is created, stored and who can access it etc.
It could be said that the deliverable of this type of Inventory would be to answer the Row 1/Column 1 requirements of the Zachman Framework and provide key inputs for answers to some of the other Row and Column intersections. From an IT Security perspective, the objective of conducting the inventory of Information Assets is to allow you to identify and prioritise what information needs to be protected and where. Once you understand where the information is and how it could be accessed or uncontrolled, then you can assess the costs and risks of Information Security better. From an Information Quality perspective, the same information can be used to identify which information groups (e.g. „Customer Information‟, „Product Information‟, „Order-to-Cash Process Information‟) your organisation is managing, where that information is held and which information groups are likely to carry the greatest cost and risk of non-quality information.
Human Resources Security Aspects and Access Control
Under ISO 27002:2005, there are a series of guidelines around the Information Security aspects for employees joining the organisation, leaving the organisation or being moved around within the organisation. Ultimately, this raises Information Quality issues such as: Correct spelling of names or format of names Timeliness of Staff Number information (where that is required to issue logins etc) Timely notification of employee hires fires and promotions/transfers so that system access rights can be created, amended or deleted as required. From an Information Quality perspective, the Security expectation is a key Information Consumer expectation that needs to be met with Human Resources information. Security Officers in organisations need to know that when they elect to kill the access rights to systems for employee “Daragh O Brien” on his departure that that employee doesn‟t also have logins or remote access credentials under the names “Darragh O‟Brien”, “Dara O‟Brien”, “Darach O‟Brien” or “Dara Ó Briain” (all of which are perfectly valid alternate spellings of my name). Likewise, employees are entitled to expect that their systems access rights will not be curtailed because the HR department spelled their name incorrectly and it didn‟t match the name associated with the system login. For example, if you have a team member called Rachael (please note the spelling). You had submitted system access requests using the correct spelling of her name. Would it impact your team‟s productivity her access to a key system required for her job was curtailed because HR had misspelled her name as “Rachel” and as such there was no „match‟ on a straight character for character clash between the particular system access lists and the HR „Active employees‟ list? Would it be particularly irksome if it transpired that Rachael had been trying to get the spelling of her name corrected on the HR system but it had not been actioned? By ensuring appropriate controls on the quality of Information in HR processes, security of information can be assured in a manner that reduces the impacts of errors on employee productivity.
Compliance
ISO 27002:2005 contains some best practice guidelines for compliance with other regulations etc. As already identified, Compliance is a key driver for the renewed interest in Information Quality amongst organisations. Whether it is a need to comply with the “Accuracy” requirements of European Data Protection regulations, or with Sarbanes-Oxley or Basel II, as we have already discussed there is a clear role for quality management of Information in achieving Compliance objectives.
Conclusion
There are clear overlaps and parallels between the drivers for Quality Information and the practices necessary to meet the standards required by ISO 27002:2005, formerly known as ISO 17799. While some organisations may view their Information Security objectives as being distinct from their Information Quality requirements, in reality there are sufficiently strong interdependencies between the two sets of objectives to suggest that they are at worst parallel programmes which could benefit from sharing tools, techniques and experiences. Application of Information Quality Management principles and methodologies to ISO 27002:2005 compliance initiatives will improve the quality of the deliverables and will help to better ensure and assure the security of your information. Likewise, approaching Information Quality strategy with an understanding and awareness of the role of Information Security as a stakeholder and potential ally will likewise benefit the execution of the Information Quality strategy, not least because it will not appear to be yet another „fad‟ programme to distract people from their „real‟ jobs.
COBIT Framework
The COBIT Framework (Control Objectives for Information and related Technology) is a set of best practices for information technology management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company. The COBIT framework is built on four main strategic domains: Plan and Organise Acquire and Implement Delivery and Support Monitor and Evaluate
Within each of these domains there are a sub-set of high level control objectives to be addressed. Each of these control objectives addresses a specific component of Information or Information Technology management which need to be addressed in some form to ensure adequate and effective control of Information and its related Technologies. These high level control objectives are illustrated below.
Table 1: COBIT Framework High Level Control Objectives
Plan & Organise PO1 Define a Strategic IT Plan and direction PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organisation and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects Acquire and Implement AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes Delivery & Support DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations Monitor & Evaluate ME1 Monitor and Evaluate (IT) Processes ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance Much like ISO 27002:2005, the COBIT Framework is not a standard per se but is a defined set of recommended best practices to achieve high standards in the control and operation of Information and Information Technology. Also, COBIT and ISO 27002:2005 are not incompatible; rather they are complementary Best Practice frameworks, with the ISO standard focussing on the specific challenges of securing information, which relates directly to the COBIT DS5 objectives (Ensure System Security).
The Information Quality Perspective
From the perspective of Information Quality, it is interesting to note that within the name of the framework there is a clear distinction between Information (the „asset‟ being managed) and “related Technology” (the tools used to manage the Asset). A number of commentators have highlighted that, while COBIT only explicitly mentions information quality as one item in the midst of a number of Data Management recommendations published with the Framework, the implication is that if you do not address data quality then you will not achieve your control objectives. In the words of Cass Brewer of the ITCi: “CobiT’s pert reference to data quality at level 0 in its maturity model essentially says that without data quality you’re nowhere, whatever your other data management controls.”1 Looking at the various control objectives within COBIT, it is clear that a number of them are dependent on good quality information (or at least an understanding of the poor quality of your information) in order for your organisation to achieve them. I have selected some of the High Level Control objectives and have mapped the Information Quality component of each of them in Table 2 below. This mapping is not exhaustive and further correlations can be found between the COBIT Framework and Information Quality Management.
Table 2: Example mapping of COBIT Control objectives to Information Quality
Control Objective PO8
(Manage Quality)
Information Quality Component
This is self-explanatory. In order to manage the quality of your IT processes you need to manage the quality of the information that is consumed and produced by those processes. As we have already seen from our discussion of the failure rates of Data Migrations, understanding the level of information quality in your organisation and actively planning how to manage the Project (and operational) risks associated with it is a key challenge for most organisations. Automation of a process which is either accepting or creating poor quality information will result either in a breakdown of the automated solution or a backlog of exceptions which will need to be manually addressed. Understanding the levels of Information Quality and the root causes of non-quality allows for better implementation of appropriate automated solutions. In managing Data it is appropriate to manage the quality of that data. In order to ensure Regulatory Compliance, in many cases organisations will produce compliance reports and reporting on the operation of controls that seek to identify defects in their information that might give rise to a Regulatory breach (e.g. customers being billed for services they do not have). Organisations that understand this to be a form of Information Quality monitoring often move to proactive prevention of Regulatory breach as opposed to reactive „scrap and rework‟.
PO10
(Manage Projects)
AI1
(Identify Automated Solutions)
DS11
(Manage Data)
ME3
(Ensure Regulatory Compliance)
Conclusion
While the COBIT framework does not expressly mandate the management of Information Quality, the reality is that to achieve many of the High Level Control Objective set out by the
1
Brewer, Cass, Dissociative Disorder: Compliance, Data Quality, and Cognitive Dissonance, http://www.tdwi.org/Publications/display.aspx?id=8125, 2007/09/29, last accessed 2007/12/29 @13:46 GMT.
Framework, organisations do need to address their management of the quality of their information. As we will see when we look at some of the methodologies for Information Quality Management, there are also overlaps between many of the Control objectives and key steps that are recommended by some „gurus‟ to develop a robust Information Quality Management capability in your organisation.
Emerging ISO Standards for Information Quality
The ISO has commenced work on a new standards set for Information/Data Quality under the auspices of the ISO/TC184/SC4 Standards Committee. This committee has authorized the WG13 (Working Group 13) that is developing these standards. Currently the draft standard is ISO 8000, a standard for industrial data quality. The IAIDQ (International Association for Information & Data Quality), the leading professional organisation for Information Quality Practitioners, is a Category A Liaison to the ISO/TC184/SC4 committee. Work is continuing on this standard and readers should check the ISO website (www.iso.org) for further information.
Conclusion
Many of the standards selected for discussion in this paper are primarily IT focussed. However, this should not be taken to mean that Information Quality is an IT issue. This is far from the case. Indeed, one of the leading thought leaders in the field Tom Redman has this advice for IT professionals tasked with improving Information Quality: “If you are in IT and you are tasked with fixing data quality in your organisation, get out. Get out of IT and go to work in the Business because that is where you can make the necessary changes.”2 What this highlights is that for the Enterprise, the organisation as a whole, to achieve its objectives of Compliance through the pursuit of various standards or frameworks then Business and IT need to work together to address the issues raised by poor quality Information and poor Information Quality Management. This requires more than just recognition within the Information Technology strategic plan that Information Quality is an important element of achieving these high standards and high level Control objectives. It requires an acceptance within the Business that to achieve these improvements they must lead the change. While there are a number of different standards frameworks and objects that might be met, ultimately there is a common „foundation‟ that links them and that is the need to ensure good quality information in the operation of Business (and IT) processes.
2
Response given in answer to a question about the ability of IT to lead Information Quality change at the 2007 IDQ Conference in Las Vegas.
Figure 1: Information Quality as a key Foundation discipline
Organisations that recognise the significant foundational role of good quality Information in the context of other Best Practice frameworks or regulatory requirements that they are seeking to meet will inevitably achieve improved synergy between the requirements of each standard and framework. Furthermore, compliance with these frameworks and standards will be seen as a value-adding function as the quality of information in the organisation improves, reducing costs associated with process failure, rework and compliance risks, and improving profitability in the organisation.
