The McKinsey 7S Framework: A Holistic Approach to Harmonizing All Parts of th...
Enterprise Data Governance for Financial Institutions
1. Data Governance starts with planning;
• Metadata Management
• Master Data Management
• Data Quality Management
• Data Privacy & Security
Enterprise Data Governance
for Financial Institutions
2. What is Data Governance?
Ref. http://searchdatamanagement.techtarget.com/definition/data-governance
Is what FIs tracks
in spreadsheets
today.
Uses MDM technology
to enhance FI data
quality and provide
metrics on data
governance programs.
Defines FI standards
for data and who
will be accountable.
Assigns a security
classification type to
all structured and
unstructured data
within the Financial
Institution (FI).
3. Benefits of Data Governance
• Adopting a Data Governance strategy can help Financial
Institutions protect sensitive information from attack or
misuse and also helps the organization use its data more
effectively.
• Good Data Governance practices and data security
classification help to protect against and limit the risks
of a data breach, data leakage or human misuse of data.
• By having a Data Governance program, organizations can
establish data storage lives and destroy old data to reduce
data storage and maintenance costs. Providing a small boost
in ROI of Data Warehousing & Business Intelligence Programs.
4. Basic
Immature policies
and procedures
Lack of training
and awareness
Limited technology
Standardized
Established policies
and procedures
Formal training
and awareness
Minimal technology
Rationalized
Process and
procedure
Improvement
Formal training and
compliance metrics
Reduced reliance on
manual controls
Dynamic
Process
transformation and
more integrated
compliance efforts
Formal training and
compliance metrics
Fully automated and
integrated controls
managed by IT
Data Governance Maturity Model
Resource & Technology
Investments
Time
5. Data Governance Strategic Objectives
•Produces information that is easily accessible, standardized,
and sourced from a single place.
•Produces information that can be used to make and support
operational and strategic business decisions.
•Ensures data is captured, mapped, stored, managed, retained
and archived in accordance to FFIEC compliance regulations.
INFORMATION DELIVERY
Information Management of
Enterprise Reporting Content
•Assists in dismantling business systems that are designed or
built with architectural dependencies on other applications.
•Consolidation of business application and reporting systems.
SIMPLIFY SYSTEMS
Deprecation of Ad-hoc Legacy
Business Systems
•Supports the deployment of new applications by
standardizing key business terms to enable data conversion
and configuration of application integration points.
ENABLING CAPABILITY
Enabling the Deployment of New
Business Applications
•Provide quality support services that add value to FI
reporting data stakeholders and business users.
•Maintains safety and soundness of all the data used and
shared by the Financial Institution.
ONGOING OPERATIONS
Maintaining business functions
that maximize daily operations
6. Metadata Management
Specifies the basic components of data into
information that can be re-used to improve
business operations and processes, including:
• Design & control of Data Dictionary
• Identifying Data Stewards & Data Owners
• Retrieval of data from databases
• Design of information processing systems
• Design of EDI-messages
• Maintenance of items in a metadata repository
7. Metadata Repository (MDR)
• A Metadata Repository is designed to capture
the “basic components” or the semantics of
data, independent of any application or subject
matter area.
• MDR’s can reduce the time and costs of
defining and approving the semantics of data
by re-using basic components that have
already been approved by our data stewards.
8. MDR Registration Model
2
6
3
4
1
5
7
1) Project submits a term to
MDR for registration
2) Project team notifies
Registrar submitted item is
ready for certification
3) The submitted item is
routed to Data Stewards
4) Data Stewards work with
the project teams to define
terms and definitions
5) Term is pending approval
6) Term is approved by the
EDM voting members
7) Term is certified for use in
the MDR registry and
updated in the FCBT WIKI.
A Registration Process Model can be viewed here.
MDR Registration Process
9. Classification of Metadata Attributes
Attribute Definition Occurrence Required Metadata
Term Name The MDM approved term name. One per data element Yes
Business Definition The MDM approved definition One per data element Yes
Valid Values Examples of data element, amount, date, selection list or
other
If applicable Yes, If applicable
Standardized
Formula
Calculation used to derive a data element metric or
amount
One per data element Yes, If applicable
Source Reference The system the data element originates from Can be multiple systems of origin Yes, used to determine
ownership
Data Owner The decision contact for data quality and data privacy Could be more than one per data
element
Yes
Data Steward Definition contact. Appointee of the business owner. Could be more than one per data
element
Yes
Submission Contact Appointee of the project team One per data element Yes
Creation Date Date a data element was submitted One per data element Yes
Last Change Date Shows when a data element was last updated One per data element Yes
The complete Metadata Classification Schema can be viewed here.
10. Master Data Management
Brings together the:
• Business Rules for Data Quality
• Procedures for Metadata Management
• IT Roles & Responsibilities
• Progress Tracking & Reporting
• Data Privacy Classifications for all the
data within the organization
• Auditable Time Stamps & User IDs
11. Benefits of MDM
Master Data Management (MDM) is a methodology
for researching and implementing controls and
business rules around your data.
The many benefits to implementing Master Data
Management include;
- Preventing critical errors in data quality
- Preventing data loss, breach and negligence
- Improve efficiency and availability of information
needed for business decision making
12. Challenges of Implementing MDM
• Lack of centralization
• Data misunderstandings
• Lack of defined metadata attributes
• Poor data quality rules and guidelines
• Other priorities
• Lack of training and awareness
• No clear definition of success
13. Master Data Management Maturity
No MDM
Metadata
Schema and
Mgmt. Plan
Stewardship
and Project
Team Mgmt.
Model
Centralized
Hub
Processing
of all
application
database
data
Business
Rules for
Data Quality
& Policy
Support
Data Privacy
& Security
Processing
Maturity
Time
INVEST
14. MDM Capabilities and Enablers
Key Business Capabilities
• Well defined, documented,
and enforced policies and
processes for governing
master data and data quality
• Cross-functional teams of
business stakeholders
• Well documented, regularly
reviewed and updated
operational procedures
Key Technology Enablers
• Established metadata
schema and metadata
repository
• Data or information
consistency, migration,
quality, and transformation
tools (ETL)
• IT enabled access controls,
process management, and
security solutions
15. Solutions for MDM Life Cycle
Strategy
• MDM
Roadmap
• Program
Development
• Readiness
Assessment
• Data Quality /
Stewardship
Programs
Planning
• Project
Planning
• Tool
Assessment
• Architecture
Design
• Success
Metrics &
Reporting
Implementation
• Requirements
Workshops
• MDM Design
• MDM Process
• Stewardship
Process
• Data Quality
Support
• Policies &
Procedures
• SLA
Management
• MDM Training
• Change
Management
MDM Maturity Accelerators
• MDM Methodology
• Project Plans
• Architecture Frameworks
• Best Practice Techniques
• Training Curriculum
• New Technology Tools
16. Data Quality Management
Data Quality Management is the process of
establishing roles & responsibilities and the
business rules that govern data by bringing
the Business and IT to work together.
Their task is two-fold:- to address the
problems that already exist and to prevent
the potential ones from occurring.
Ref. http://blogs.perficient.com/businessintelligence/tag/data-governance/
17. Data Quality and Data Governance:
The Basics
• Business Rules
– Enterprise Architecture
– Naming and Identification Principles
– Formulation of Data Definitions
– Data Definition Process
• (see Data Registration Model)
• Roles & Responsibilities
– Business & IT Subject Matter Experts (SMEs)
18. Business Rules
Naming and Identification Principles
Each administered item shall have a unique data identifier
within the metadata register. (ex: ID_KEY)
A naming convention shall cover all the following aspects;
a) the scope of the naming convention, e.g. established
industry name
b) the authority that establishes names
c) semantic rules governing the source and content of terms
used in a name
d) syntactic rules covering required term order
19. Business Rules
Formulation of Data Definitions
A data definition should:
a) be stated in the singular
b) state the concept as a descriptive phrase or sentence(s)
c) contain only commonly understood abbreviations
d) be expressed without embedding rationale, functional
usage, or procedural information
e) use the same terminology and consistent logical
structure for related definitions
20. Roles & Responsibilities
Data Governance Council –
comprises of an Information
Management Head and Data
Stewards from various units.
Information Management Head –
is the one who is accountable to
the Governance Council on all
aspects of data quality. This role
would typically be fulfilled by the
CIO.
Data Stewards - are the unit heads
who lay down the rules & policies
to be adhered to by rest of the
team. This role would usually be
fulfilled by a Program Manager.
Ref. http://blogs.perficient.com/businessintelligence/tag/data-governance/
Data Custodians – are responsible for
the safe storage & maintenance of data
within the technical environment.
DBA’s would normally be the data
custodians in a firm.
Business Analysts – are the ones who
convey the data quality requirements
to the data analysts.
Data Analysts – are those who would
reflect the requirements into the
model before handing it over to
the development team.
Internal Audit – reviews procedures to
determine how well we did.
21. Data Privacy & Security Management
Financial institutions should control and protect
access to paper, film and computer-based media
to avoid loss or damage. Institutions should;
• Establish and ensure compliance with policies
for handling and storing information,
• Ensure safe and secure disposal of sensitive
media, and
• Secure information in transit or transmission to
third parties.
http://ithandbook.ffiec.gov/it-booklets/information-security/security-controls-implementation/data-security.aspx
FFIEC Action Summary
23. Data Privacy & Security Challenges
• Information Security
– Organizations need to worry about evolving criminal enterprises,
but they also need to worry about small storage media devices
that can easily be lost or stolen.
– The financial and reputational costs that data breaches can have
on an organization is significant.
• Information Privacy
– The sensitive information involved in data breaches, and the
potential for an increase in identity theft cases has consumers
thinking twice about their personal information being held by
organizations.
• A Complex Regulatory Landscape
– Stop security threats and protect consumers’ personal information
– Spread awareness of best practices and promote self-regulation
Ref.http://tfs.sharepoint.nterprise.net/sites/Enterprise%20Data%20Mgmt/Project%20Management/EDM%20Presentations/Data%20Governance%20Research%20Files/Guide_to_Data_Governance_Part4_A_Capability_Maturity_Model_whitepaper.pdf
24. Data Governance Privacy &
Compliance Framework
People
• Committed and engaged executive leadership
• Trained, aware and accountable employees
Process
• Structured, repeatable, and adaptable process
• Data Classification & Data Stewardship
Technology
• Secure infrastructure that protects information
• Auditing and Reporting of access controls
25. Data Governance, Risk Management,
and Policy Compliance
• Governance ensures that the business focuses on
core activities, clarifies who has the authority to
make decisions, and addresses how performance
will be evaluated.
• Risk Management is a systematic process for
identifying, analyzing, evaluating, remedying, and
monitoring risk.
• Compliance refers to actions that ensure behavior
that complies with established rules as well as the
provision of tools to verify that compliance.
26. Data Governance Policies
• Data Stewardship (authority) Policy
• Data Classification Policy
– Public Information
– Internal Use Only
– Restricted Data
– Confidential Data
28. Data loss/leak prevention solutions are designed to
detect potential data breach incidents in a timely
manner and prevent them by monitoring
data while in-use, in-motion and at-rest.
A data leakage incident is when,
sensitive data is disclosed to
unauthorized personnel by
malicious intent
or human
mistake.
DLP (Data Loss Prevention) Software
INTERNET
DLP Suite
29. DLP Technology Domains
• Safeguard against malware and intrusions
• Protect systems from evolving threats
Secure Information
•Protect sensitive data from unauthorized access or use
•Provide management controls for identity, access , and provisioning
Identity and Access Control
•Protect sensitive data in structured databases
•Protect sensitive data in unstructured documents, messages, and records
•Automate data classification
•Protect data in motion
Information Protection
•Monitor to verify integrity of systems and data
•Monitor to verify compliance with policies
Auditing and Reporting
In this presentation series we will discuss;
1) What Data Governance is, and what the Visions & Objective of EDM are.
2) Identify how we use Master Data Management to analyze Data Quality in our business terms and metrics used in standard management reports.
3) Establish a Stewardship model to ensure Data Ownership & eliminate Risks of Data Miss-Management.
4) And finally, discuss how we use Data Loss Prevention Technology to ensure data privacy and security controls are being met.
Data Governance refers to the overall management of the availability, usability, integrity, and security of the data within any enterprise. A sound data governance program includes a governing body, a defined set of procedures, and a plan to execute those procedures over time.
Data Governance consists of the following FOUR main pillars of excellence;
Metadata Management – It involves deciding what information about your data to track and storing the information about your data by means of a metadata repository.
Master Data Management (MDM) – It is a process of collecting and aggregating all the data within the organization into a single source of truth.
Data Quality Management – It involves defining the governing business rules for your data quality and then formally training the Business and IT together with a focus on that quality.
Data Privacy & Security – Utilizes data protection technology and MDM tools to manage data classifications and uses those standards to enhance the organizations level of protection from unauthorized users and other data related threats.
How is Data Governance different from IT Governance?
Data Governance complements IT Governance. Data Governance focuses on creating a structure that will enable the organization to align data management efforts to business objectives, support regulatory compliance and manage the risks associated with managing data.
To borrow an analogy commonly used by the data management community: IT Governance focuses on the pipelines in the organization’s IT infrastructure, Data Governance focuses on the water that flows through those pipelines.
How does Data Governance relate to data retention?
Data Retention is the practice of keeping records of data and metadata that are generated by an organization while conducting regular business operations. Knowing our records retention policies by department and where the data is stored allows us to manage records retention and destruction.
Data Governance Initiatives take Investments in Resources & Technology over Time with constant improvement to meet evolving regulations.
Although it can take a considerable amount of time and effort to set up good Data Governance initiatives there is no doubt that it is going to improve the overall process of meeting objectives and resolving conflicts.
We are approaching standardized processes today. We have training and awareness programs for security, and we have expanded our policies and procedures to include more collaboration and communication of responsibilities around data quality.
For us to move toward Rationalized Maturity Level, we would need to establish Metadata standards and create Master Data Management process and procedures that will be delivered as training to employees of the process.
Improve decision-making of management
Ensure data consistency and common understanding across the organization
Build trust of data among everyone involved in the process
Re-use of standardized data components over time, space, and applications, and passes saving to all future project budgets
Eliminate risks related to data privacy and security
Adhere to compliance requirements
The following table lists some of the attributes of a classification system that may be recorded in an MDR.
When we talk about investing in Technology, we often talk about ROI. This is easily done with simple value mapping.
Master Data Management tools can;
Help IT meet the organization’s strategic objectives for data privacy and data quality by providing a single source of reference.
MDM tools provide a way to measure, track and report progress of data quality tasks performed.
MDM tools provide a way to track and manage data classification at the column, table and database layer.
New Definitions for ROI, could be Risk of NO Investment
Risk of Internal Control Deficiency
Risk of Inefficiencies
Risk of Ineffectual Data Quality Practices
Risk of Impossible Odds of Succeeding With Planned Data-Related Projects
Some organizations are setting up new teams, others are re-fashioning existing teams. Either way, new roles, responsibilities and structures are still required. Identifying key resources, aligning them to a strategy, and evolving critical roles over time will enable long-term success with MDM.
Why do people-related issues become the biggest challenges in MDM?
What key roles must be formalized and how do they inter-relate?
Which stakeholder management tactics are most effective?
As MDM shifts from an abstract discipline to a tangible program, governance has to appropriately expand. This broader scope still encompasses data stewardship aspects, but it also has to entail additional decision areas that ensure the value and sustainability of the MDM program.
What should the scope of MDM program governance cover?
What are the different implementation options of master data governance?
What are the barriers to effective master data governance and how can they be overcome?
Integrating business strategy and vision is critical for driving business and technology change and investment. One vehicle for communicating and uniting IT and business efforts is a high-level business capability map, as well as the ability to drill down to deeper levels of analysis.
A company’s Master Data Management program should be an enterprise-wide initiative. However, it is often difficult to start the initiative across the entire enterprise. The key is to embark upon tactical projects that are aligned with an overall enterprise vision for MDM. Pick a starting point with limited scope that proves the technical approach and delivers faster business benefits.
An important thing to note is “There is no such thing as an MDM project, just business projects requiring MDM. MDM must be treated as a program and therefore funded as one. Business realities make this very difficult to achieve — specifically, political, organizational, and cultural barriers stand in the way.” – Gartner MDM
Why is Data Quality Mgmt necessary?
A naming convention specifies how names shall be formulated. An effective naming convention can enforce the exclusion of irrelevant facts about the administered item from the name, such as the input source of a data element or its field position in a file.
Another example: Definitions should not use the term to define the term. Ie: past due should not be defined as loans past due.
There are various roles involved in this process and all of them have to be accountable to ensure data quality. Its vital that the roles are clearly defined upfront. The following are some of the commonly recognized roles and a link to the specific responsibilities of each role.
DELIVERED BY ALVIN/LUIS?
FCBT is working diligently to implement Data Privacy and Security Management solutions across the District to protect all our sensitive data from loss using the guidance of regulatory requirements outlined by FFIEC for securing, transmitting and disposing of data.
The OBJECTIVE is to assign a data classification such as (Public, Private, Confidential) to each data element and then use a protection profile to describe the types of protection that should be applied to data in each classification.
The profile is used to develop and asses controls within the institution and to develop contractual controls and requirements for those outside the institution who may process, store, or otherwise use that data.
FFIEC offers guidance on;
1) Theory and Tools
2) Practical Application
Handling and Storage
Disposal
Transit
DELIVERED BY ALVIN?LUIS?
Average record cost per file = $194-$214 according to Poneman research http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-us.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2012Mar_worldwide__CODB_US
Negligent insiders and malicious attacks are the main causes of data breach. 39 % of organizations say that negligence was the root cause of the data breaches. For the first time, malicious or criminal attacks account for more than a third of the total breaches reported in this study. Since 2007, they also have been the most costly breaches. Accordingly, organizations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker.
Detection and escalation costs declined but notification costs increased. Detection and escalation costs declined from approximately in $460,000 in 2010 to $433,000 in 2011. These costs refer to activities that enable a company to detect the breach and whether it occurred in storage or in motion. This suggests that organizations in the 2011 study had the appropriate processes and technologies to execute these activities.
Notification refers to the steps taken to report the breach of protected information to appropriate personnel within a specified time period. The costs to notify victims of the breach increased in this year’s study from approximately $510,000 to $560,000. A key factor is the increase in laws and regulations governing data breach notification.
Maintaining the privacy and confidentiality of data, as well as meeting the requirements of a growing list of related compliance obligations, are top concerns for government organizations and enterprises alike.
Addressing these challenges requires a cross-disciplinary effort involving a varied list of players human resources, information technology, legal, business units, finance, and others—to jointly devise solutions that address privacy and confidentiality in a holistic way.
Data governance is one such approach that addresses many aspects of data management, including information privacy and security as well as compliance.
People: The people make up the steering committee, data stewards and information security officers. They are the subject matter experts from different areas of the organization that will collaborate to develop a comprehensive set of process and technical controls that support approved policies, standards, and procedures.
Process: The process consists of;
Adhering to data privacy and confidentiality principles
Applying continuous process improvement methods; (Plan-Do-Check-Act-Repeat)
Keep each process structured, manageable, and repeatable
Technology: Represents the tools for evaluating risks (DLP) and enables the technical and manual controls for mitigating those risks.
Data Stewardship Policy – define who is responsible for ensuring effective control and use of data assets according to data security and privacy requirements.
Data Classification Policy - is the enterprise-wide classification scheme that defines appropriate security levels and protection controls, data retention policies, and criticality and sensitivity of enterprise data (e.g., public, confidential, top secret). Tagging confidential information covered by statutes and regulations with the associated authority document is also a good idea. The classification scheme should apply to both structured and unstructured data.
Each policy should clarify the following basic elements:
Purpose of the policy.
Policy statement.
Whom the policy affects and their associated role and responsibilities.
How the policy will be monitored for compliance (metrics and related key performance indicators).
What enforcement actions will be taken against policy violators.
Diagramming
Multiple techniques can be used for diagramming. Microsoft product teams and our consulting services organization typically use data flow diagrams (DFDs) with the addition of “trust boundaries.” A trust boundary is a border that separates business entities and/or IT infrastructure realms, such as networks or administrative domains. Every time confidential data crosses a trust boundary, basic assumptions about security, policies, processes, and practices—or all of these combined—might change, and with them the threats that will be identified in the next step.
Threat Enumeration
Once the diagram is ready and all trust boundaries have been identified, the next step is enumerating potential threats against privacy and confidentiality using the four data privacy and confidentiality principles and identifying threats that might affect the integrity of each one. Here are the four principles, each followed by examples of threat types
Principle 1: Honor policies throughout the confidential data lifespan
Choice and consent (collection, use, and disclosure)
o Inadequate notice of data collection, use, disclosure, and redress policies.
o Unclear or misleading language or processes for the user to follow in choosing and providing consent for the collection and use of personal information.
Individual access and correction
o Limited or nonexistent means for users to verify the correctness of their personal information.
Accountability
o Lack of necessary controls to enforce customer choice and consent, as well as other relevant policies, laws, and regulations, including data classification.
Principle 2: Minimize risk of unauthorized access or misuse of confidential data
Information protection
o Lack of reasonable administrative, technical, and physical safeguards to ensure confidentiality, integrity, and availability of data.
o Unauthorized or inappropriate access to data.
Data quality
o Lack of means to verify accuracy, timeliness, and relevance of data.
o Lack of means for users to make corrections as appropriate.
Principle 3: Minimize impact of confidential data loss
Information protection
o Insufficient safeguards (i.e., strong encryption) to ensure confidentiality of data if it is lost or stolen.
Accountability
o Lack of a data breach response plan and an escalation path.
o System does not encrypt all confidential data.
o Adherence to data protection principles cannot be verified through appropriate monitoring, auditing, and use of controls.
Principle 4: Document applicable controls and demonstrate their effectiveness
Accountability
o Plans, controls, processes, or system configurations are not properly documented.
Compliance
o Compliance cannot be verified or demonstrated through existing logs, reports, and controls.
o Lack of a clear noncompliance escalation path and process.
o Lack of a breach notification plan. Lack of other response plans that are required by law.
DELIVERED BY ALVIN/LUIS?
Intro to DLP and what we are protecting by using this technology with a security in depth model.
* How often do we send out information that is not encrypted and that should be?
* Do employees have access to post on social network sites, linkedin, wordpress, twitter or facebook?
* Have you ever been tempted to send files to your personal account to be able to catch up on work while at home?
* How do you currently prevent these kinds of situations from spilling or losing data that could be considered a compliance breach?
Secure Infrastructure
Safeguarding confidential information depends fundamentally on a secure technology infrastructure—one that protects computers, storage devices, operating systems, applications, and the network against malicious software and hacker intrusions as well as rogue insiders.
Identity and Access Control
Identity and access management (IAM or IdM) technologies help protect personal information from unauthorized access while facilitating its availability to legitimate users. They include authentication mechanisms to verify identity and to ensure that only valid users can connect to an organization’s systems; access controls that determine which resources and data a user is allowed to use and in what ways; and provisioning systems and management technologies that help organizations manage user accounts across multiple systems and with partners they trust.
Information Protection
As confidential data is shared within and across organizations, it requires persistent protection from interception and viewing by unauthorized parties. Organizations must ensure that their databases, document management systems, and practices correctly classify and safeguard confidential data throughout the lifecycle.
Classifying data and files
Protecting information through encryption
Protecting data through the information lifecycle
Auditing and Reporting
Organizations can use technologies for systems monitoring and compliance controls. Such technologies verify that system and data access controls are operating effectively and assist in identifying suspicious or noncompliant activity. They can also help ease the systems administration burden and reduce troubleshooting planning. Capabilities include:
Harmonizing compliance requirements across IT processes
Selecting activities that enable automation of data governance compliance and produce proof of that compliance
Detecting and reporting on misplaced data by performing routine sweeps using automatic file classification