QUESTION & ANSWER

IBM uses model to understand data governance

By Rob Westervelt, News Editor 21 Mar 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

What has been some of the results of the Data Governance Council?
Steven Adler: The council was formed in November of 2004. It was formed because a lot of organizations recognize that data is one of the most valuable assets that companies have. Companies increasingly are looking at how you manage that information and how you make it free. Lots of IT departments are trying to find ways to get more information out to more individuals, standardizing the way they write information, whether it's structured or unstructured data, audio or video. Everybody wants to get ideas out into the marketplace. But people recognize that when you aggregate that information, when you combine it with lots of different stove-piped databases across the organization, it used to be protected by the very nature of the proprietary database format that was used. The data is not just valuable to the organization. It's valuable to lots of people that you don't want to give access to. It also creates lots of new complicated social responsibilities about how an organization governs an effective appropriate use of that data. It's too big of a job for one group in an organization. We saw the need for a more participatory governance framework for different parties in an organization to work together and resolve issues. The data governance council has 45 organizations that are looking at just that.

Are these mostly vendor partners participating?
Adler: They're actually about 25 IBM customers, including 12 vendor partners and three universities. It's a very diverse group. Many of them are very large banks, credit card companies, telecommunications organizations, retailers, some public sector governments.

Just to get a better understanding of the goal of the group, does IBM use it to fill white spaces in its product portfolio? Is it about developing standards or creating interoperability between vendor partners and IBM?
Adler: In the beginning it was just to understand the space. Our customers were coming to us and saying "we've got a complex new field here. We see regulatory compliance, we see security issues, we see data privacy and data protection issues, we see data quality issues, and we see data management." We've got all these different stove pipes in the organization and they're not talking to each other. We recognize that there is this new space that combines all these different disciplines. Data is an enterprise asset and everybody has to be involved to figure out how to leverage it to its potential and yet protect it. As the group got to know each other, the group began to realize that the group had a unique opportunity to influence how the field developed. A lot of the organizations felt that this would be an important opportunity to help identify different levels of maturity in data governance.

What's the status of the maturity model?
Adler: We started working on the maturity model last year. It's a very big model. It has 11 categories and five levels of maturity for each category and lots of content in each area. Between members in the council and IBM, there are probably close to 70 people working on this maturity model. There's a tremendous amount of passion in this group. We've transformed it into an assessment because a maturity model is a benchmark so you can use it to conduct an internal analysis. We have had members assess themselves using the model in October and after that experience we felt that while it isn't perfect yet, it's really good.

Is there any way for enterprises to use this model?
Adler: When we felt like we had a stable and standardized model, we decided that it would be appropriate to start sharing it with the rest of the world. The first thing we did was take the lessons we learned from working with the council developing the model and we transformed it into a formal assessment offering which we announced in December. It was the first product that was delivered from this council. Now other organizations that want to take advantage of this work can come to IBM Global Services and get a data governance assessment. The second step will come later this year as we start rolling out some white papers and descriptions of the rest of the maturity model.

Are companies saving too much data or failing to understand the valuable data versus the data that doesn't need to be stored?
Adler: That becomes a retention issue. It's another area of data governance that's information lifecycle management and figuring out how long data should be retained. It's becoming a growing concern for many companies. A lot of organizations back up everything and they don't know from their back ups how long they need to save it.

Is this why we're seeing more data breaches today?
Adler: I think we're seeing more data breaches because we've got more data. I think it's because our entire economy is changing today. Between 30 million and 48 million Americans work at home. Large portions of the employee population travel a great deal. When they travel around the world they carry BlackBerrys and cell phones and PDAs and laptops that contain hundreds of gigabytes of data. This is only going to increase. We're going to start seeing portable drives with terabytes on them. That proliferation of data creates increased exposures and increased opportunities for loss. It only increases the obligation of an organization to control those losses and mitigate them. You've got to be in a position where you can analyze past behavior, consider present circumstances and forecast future losses and prevent them.

Tags: Enterprise Data Governance,  Enterprise Risk Management: Metrics and Assessments,  Business Management: Security Support and Executive Communications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private Enterprise Risk Management: Metrics and Assessments How to justify information security spending on cloud computing Layoffs prompt insider threat fears, cybersecurity survey finds How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management Enterprise Risk Management: Metrics and Assessments Research Business Management: Security Support and Executive Communications Cost of security, IT management add up at healthcare facilities, study finds Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Aligning network security with business priorities IT business justification to limit network access RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence New partnerships, creative thinking help security bust recession

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data masking  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary