|
The volatile business environment and increasing amounts of data involving customers, intellectual property and competitive advantage guarantee without a doubt, that data is valuable and serves as the foundation for the current information driven economy. With data becoming an organizational asset and having a greater impact on the balance sheet, businesses are looking for more ways to protect information. To control and monitor the risks around this data explosion, organizations use a one-size-fits-all approach by lumping in all the data and building a secure wall around it. However, this method is risky as not all data have the same value and not all controls can effectively prevent fraud. Further, this model allows companies to overprotect lower risk and lower value data and under protect high-value information such as bank account details, personal information, trade secrets, intellectual property etc.
Savvy businesses leverage data governance techniques to add value to the bottom line. By enabling the right people to get the right information at the right time, the entire organization will be able to seize new opportunities rather than simply reacting to threats. It then becomes crucial to know where the data resides and what it is worth, and calculate the probability of risk and cost in the event that there’s a breach. Effective data governance can improve overall data quality, integrity, its availability and confidentiality and the governing principles to access and protect it.
When do you need data governance?
Governing data today is an organizational responsibility particularly when information complexity extends beyond structured customer data. Organizations require access and control over various kinds of data including unstructured content, corporate secrets, financial data and records among others. In this context, agility, access, availability and agility of data are important aspects to be considered.
| Using disparate, outdated and inaccurate data in a company’s information network will lead to incorrect and incomplete results, in turn jeopardizing the decision making processes. Information Accuracy has three major attributes that lead to business risk: correctness, timeliness and completeness of information. While these are intertwined, their impact varies depending on the business process that in turn affects management, staff, customers, partners, suppliers or regulators. Some causes can be inaccurate and inconsistent information resulting from lack of skills, manual data entry, unwieldy identifiers or lack of verification around data migrations or data entry. Applying data governance principles, training and awareness, policies and procedures, along with a risk intelligent culture in the organization will mitigate accuracy issues. |
 |
Occasionally, companies may have multiple data sources and scattered information that severely limits the access to data. This will result in poor or delayed decision making and additional time to obtain the information. Access risks may also include a hacker gaining access, or a violation of a policy or so-called intrusion attempt. But there is a lot more to access risks than just breaking into the system, and the impact may vary depending on the industry. In financial services, for example, leakage of sensitive credit card data is a financial and business risk; in healthcare loss of personally identifiable information could result in regulatory action and in media and entertainment, a company's revenue model could get jeopardized due to physical and digital piracy. As the complexity of a business increases, so does the need for sophisticated controls that help manage and mitigate these risks while increasing efficiency and keeping costs down.
Uncontrolled risks such as pandemics and natural disasters, as well as more mundane issues such as system age, technical quality and vendor support can reduce the availability of IT systems and the business processes they support. This is known as Availability risk, and it requires a business continuity plan with clear recovery procedures. Risks controls such as backups, recovery sites, manual workarounds and workforce skill levels are among the factors that should be implemented to ensure business processes recover after an outage.
Agile data is critical for proper coordination and collaboration between multiple departments. Without visibility into data movement and management, both access to and the quality of data will remain limited. Companies may have to access multiple data points and use different programs, resulting in increased time and costs for a single piece of information.
How do you achieve successful data governance?
- Analyze: The first step in a successful data governance program is identifying the correct leadership and handing over the responsibility to initiate data governance strategies. The team then needs to establish strong guidelines and inventory current practices across different departments. This helps benchmark the company’s present data governance program and helps create a roadmap to determine where the program should lead in the future.
- Design: The results from the data governance survey should be used to determine the focus of the data governance strategy, namely the level of security and data quality required. A data governance program that reflects these standards and policies is then put in place. Finally, to maintain data quality, data stewards that manage integrated definitions, structures, calculations, derivations and interpretations of data are identified.
- Transform: Every company must train its employees on how data could be compromise and disclosed in order to avoid it in the future. While enacting the data governance program, the company should create awareness about its mechanisms and tools. Effective data governance will enable a company analyze past events, forecast future losses and improve mitigation strategies.
- Sustain: As companies change rapidly, data value and risk also shifts correspondingly. Companies must be able to monitor and adjust key metrics to meet new demands and ensure accountability and ownership through a periodic review.
 In conclusion, companies must govern data usage and management by documenting and implementing organizational best practices and using technology that supports the decision making process. With high profile data breaches becoming frequent, safeguarding and maintaining data will not only satisfy regulatory requirements but also reassure customers and drive new business opportunities. Furthermore, data governance is much more than securing data. It’s a new discipline that redefines the value of data and governs how a company can use data to benefit and protect itself.
|
|
Information technology companies contribute significantly to economic growth as businesses expand and go digital. The dynamic business environment is changing the way people do business resulting in a rapidly evolving IT industry. However, despite the role they play, IT companies are not as tightly regulated as companies in traditional sectors such as financial services, healthcare, energy or telecom.
Information Integrity
Yet, technology companies often find themselves victims of cyber crimes such as loss of intellectual property and access violations among others. Even technology giants have been subjected to cyber attacks. In an example of unauthorized access, Google Inc. had to remove paid advertisements linked to some 20 search terms that online criminals had hijacked to steal banking and other personal information from users. Another recent incident occurred at Apple Computers where one of its supply chain executive was charged with receiving up to a million dollars in return for offering company data to several external parts suppliers. While Apple did end the data misuse, valuable data would not have been at the risk of being compromised if better security systems and data protection protocols were in place. Clearly, information risk is a key aspect that needs to become integral to the way IT companies operate.
Secure Development
IT companies also need to be cognizant of information risk when developing applications and products. Secure development methods must be adopted right from the early stages of the development lifecycle rather than as being considered as an afterthought. Most development organizations think about managing risk in the SDLC only during the testing stage by when it is late. When security or privacy related incidents occur or regulations prompt rigorous testing, very often it leads to re-engineering or massive changes to the software. The reengineering costs are usually as or more expensive than the actual development costs resulting in extra time, effort and money.
Therefore, greater attention and detail has to be spent during the design and development process on managing information risk. This would lead to a shorter testing phase and possibly avoid re-engineering efforts.
An added dimension when developing any software, especially those involving privacy, is distribution and access to Personally Identifiable Information (PII). PII refers to any kind of information that can uniquely identify or locate a person and hence needs to be treated with utmost care.
When information is at risk, technology companies are susceptible to threats and can have a severe impact on their ability to respond and provide quality outcomes. It is therefore imperative for IT companies to design and test applications keeping in mind risks around availability, accuracy, access and agility.
|
