CIOs and others responsible for corporate technology initiatives are challenged to gain control of the ever expanding amount of data available today. The Taming Big Data series of articles focuses on a solution that builds a sustainable model to keep up with such changes.
The solution I propose is to formalize the enterprise information management (EIM) program -- if there is one -- since an EIM program allows a company to provide accurate and consistent information to all of its resources (employees, computer databases, etc.), allowing them to perform their jobs more effectively.
A key objective of the EIM program is to transform the vast amount of information collected every day into a strategic advantage. To this end, CIOs seek a tactical solution where benefits can be realized early and then worked into the overall enterprise information strategy. One approach in starting this journey is by looking at the information life cycle management (ILM). ILM is the process of managing specific data assets of an organization from creation to disposition.
The five areas of ILM to be addressed include data usage, creation, retention, availability and maintenance. This article will focus on the importance and best practices of the fourth phase: availability.
If you have followed our series over the past three months, you should be in a position to understand how information assets are used, created and retained (see Taming Big Data-Part I: Usage, and Part II: Creation, Part III: Retention). You are now in a position move to the fourth phase, the availability of data.
Understanding the accessibility requirements and constraints allows you to confirm standard operating procedure (SOP) metrics and set user expectations. The primary EIM subcomponents referenced during this phase include communication, data quality and security. The availability phase addresses the frequency, latency and accessibility requirements for specific information assets; gaining a clear understanding of when data is available and the maturity of the data.
It is critical that the business, technology and EIM program management resources work together to implement a solution that validates the requirements. A common theme in all of these phases is that the collaboration is required to minimize risk. The business workgroup members understand the company’s core competencies and can best assess the needs of the organization while the technical workgroup members support the business by providing tools that can be used by an organization to effectively perform their jobs. EIM program management structures the project, defines the goals and outcomes, facilitates the workgroup interactions and formally submits recommendations to the governance review board.
Collaboration is most effective when individuals are clear with their workgroup roles and the goals of the initiative. During this second phase, you should focus on studying and maturing the business processes and technical maintenance procedures used to source important information assets. During this phase the business workgroup members are responsible for:
- Defining the access requirements (who needs what data and when);
- Defines access model and data sensitivity levels (who can access what data and when); and
- Prioritizing the reports, extracts and other user requirements.
The first step for business workgroup members is identifying those in the business community responsible for defining and making the information assets available to customers. These data owners have ultimate responsibility of the data and play a major role in deciding who has accessibility to the data.
The business integrated workgroup members work with the data owners and other key stakeholders to determine the user access model, which will be used for security model development. Secondly, the workgroup members work with the data owners to determine the sensitivity level of the information assets.
The information classification of sensitivity levels may be as simple as public and private confidential and could have up to more than six levels typically used by government organizations. The workgroup members are responsible for formally identifying the company’s standard classification levels and the supporting policies and procedures.
Along with the standard classification come supporting policies and procedures. These should be developed to determine how information will be labeled, handled, stored, backed up, and disposed. Finally, these workgroup members are responsible for determining and prioritizing the information assets provided to customers. This includes reviewing/preparing standard service level agreements, interface control documents with each customer and prioritizing the list of reports and extracts for internal decision making purposes.
The technical workgroup members are responsible for:
- Assessing the data sources and receipt latency;
- Determining the process latency;
- Assessing cost for supporting extracts and customer reports; and
- Developing the security model.
The technical team is responsible for helping to prepare the communication stream regarding the latency and, most importantly, developing the security access model (SAM). The work starts by capturing the various forms of latency of the information assets that are of highest priority to the business. Understanding and communicating process latency helps in establishing expectations and constraints of the information asset system. For example, if a source system provides a monthly feed of data on the first business day of the month, one may assume that it was for the previous month.
Typically, each of the external source systems also goes through a quality control checklist which may take days. This same source may only provide the data two months prior. Understanding this latency helps the company to understand if the SLA to its customers can be met or adjusted.
Communicating this is most important to help reduce the amount of requests to the technical team and remediating the perception of lower quality due to perceived inconsistencies in the information being reported. The technical team can then focus on the internal latency and create a process that monitors ways of improving this part of the process.
The work required by the technical workgroup members is the assessment and modification or development of the security access model. According to the ISC2 CBK, this includes physical access, computer security, and telecommunications and , public policy. Within these four areas certified professionals are trained to assess over 11 standard areas.
The breadth and depth of the assessments is dependent on the type of information captured, the level of security required, and the company’s resource constraints.
The EIM program management workgroup members are responsible for:
- Identifying the best people who understand end user needs and latency constraints;
- Developing the facilitated session agendas and outcomes; and
- Finalizing the specific project deliverables.
The SAM is one of 10 components required for a company to minimize the risk of inappropriate exposure and use of its information assets. This requires a security professional on staff to lead the assessment and remediation of corporate information asset security risks. The project management workgroup members are responsible for establishing the correct workgroup member team for each of the phases discussed in the Taming BIG Data series.
Although one of the members could be a representative of the security team in the other phases, it should be a requirement for this phase of the program. In any phase where the security team does not have a full-time member, the project management group then becomes responsible for making sure the appropriate meetings with this group are established.
The purpose of the meeting is to have this group review and partake in development activities before it is presented to the governance council (who will have a security officer as part of the decision making process). The earlier security is involved in the program, the better it is for the company.
Credentialing is helpful in securing a resource that is qualified to partake in the depth of knowledge required for the organization (i.e., at least one CISSP preferred). The level of effort expended in this area is never enough. It can significantly differ depending on the size of the organization, the industry and type of information captured. During this phase, the project management members play a critical role in facilitating both the integrated workgroup sessions as well as critical subgroup sessions with the business owners and key security personnel.
A successful project is one with clearly defined deliverables: access requirements, SAM, SLAs, and review cycles and performance metrics. Success in this project will also be measured by the level of confidence customers and employees have in the company to secure and make the appropriate information available in a timely manner.
Metrics can be developed for periodic reviews to continuously monitor and improve this area. Once the project is completed, the company is well positioned to complete the final area. That is, finalizing the appropriate maintenance procedures that will support the information systems.
Stephen Boschulte MBA, PMP, CISSP, is a senior information management strategist. He has over 14 years’ experience working with more than 20 Fortune 500 companies and small organizations. Mr. Boschulte is the author of "A Practical Guide for Implementing an EIM Program" and can be reached at email@example.com.