You are on page 1of 9

CASTLEBRIDGE ASSOCIATES

Standards Frameworks
and Information Quality
Extracted from Chapter 3 of Defining and
Executing an Effective Data Quality Strategy
Daragh O Brien

This extract from my 2008 Industry Report Defining and Executing an Effective Data Quality Strategy
(published by Ark Group) examines the role of Information Quality in relation to a number of, at first
glance, competing strategic governance standards – specifically ISO27002 and COBIT.

© 2010, Daragh O Brien.


Standards Frameworks

Another key driver of Information Quality is the emergence of standards frameworks for a
variety of IT related functions in your Business which either expressly or implicitly require
the quality of information in your organisation to be managed. While Information Quality
may not be the expressed objective of many of these standards, the only effective way to
ensure and assure compliance is to effectively manage Information Quality in your
organisation, if only for a defined information group.

It is also important to remember that while certain standards may be implemented by the IT
function in the organisation, the challenge of managing the quality of the information that
evidences how the organisation meets those standards requires both Business and IT to work
together to ensure that the information meets or exceeds the expectations of the standards and
to ensure compliance with those standards.

In addition, for organisations wrestling with multiple, potentially competing, requirements to


comply with different standards it is valuable to highlight the common thread of requirements
for the control and improvement of Information Quality that can be found in a variety of
standards today. Unfortunately the nature of this report precludes an exhaustive analysis of all
possible relevant standards and their possible Information Quality elements. To that end, I
have selected just two for specific discussion and will make reference to the emergence of
specific International standards for Information Quality practices.

ISO 17799:2005 (aka ISO 27002:2005)

About the Standard

ISO 17799:2005 is an information security standard published by the International


Organization for Standardization (ISO) and the International Electrotechnical Commission
(IEC) and is based on a pre-existing British Standard, BS 7799-1:1999. In July 2007 the ISO
17799:2005 standard was renumbered by the ISO to bring it into line with other related
standards. The current official designation for the standard is ISO 27002:2005 and this is the
reference that will be used throughout this report.

The standard provides „best practice‟ recommendations for Information Security


Management across a number of headings:

1. Risk Assessment
2. Security policy - management direction
3. Organization of information security - governance of information security
4. Asset management - inventory and classification of information assets
5. Human resources security - security aspects for employees joining, moving and
leaving an organization
6. Physical and environmental security - protection of the computer facilities
7. Communications and operations management - management of technical security
controls in systems and networks
8. Access control - restriction of access rights to networks, systems, applications,
functions and data
9. Information systems acquisition, development and maintenance - building security
into applications
10. Information security incident management - anticipating and responding appropriately
to information security breaches
11. Business continuity management - protecting, maintaining and recovering business-
critical processes and systems
12. Compliance - ensuring conformance with information security policies, standards,
laws and regulations

The Information Quality Perspective

There are distinct overlaps between Information Quality objectives and the guidelines in ISO
27002:2005, particularly with regard to the requirements in Sections 3,4,5,8,9 and 12.

In order to achieve many of the objectives of the Information Security standard, organisations
inevitably need to address the completeness, consistency, timeliness and accuracy of
information about their information assets, systems, users, system access rights etc. In
addition, adequate governance and controls need to be in place to ensure Information
Security. Many of these Governance objectives are complementary to or directly parallel the
Governance requirements for Information Quality.

We will now examine in more detail some of the more salient points of overlap between the
Information Quality Agenda and ISO27002:2005.

Asset Management – Inventory and Classification of Information Assets


ISO 27002:2005 recommends that organisations conduct an inventory and classification of
the information that they manage with a view to ensuring that all information maintains an
appropriate level of protection.

If approached from a pure “IT” perspective, these inventories of Information Assets risk
becoming focused purely on the question of what servers and systems do you have in your
organisation and who uses them. This may not address adequately the questions of what
information is held on those systems, where it comes from, what it is used for and who uses
it.

As we will see later in this paper when we look in detail at some methodologies for
Information Quality, understanding the important Information „groups‟ that your organisation
manages, the key Information Assets in your organisation, is an important first step in
Information Quality improvement.

From an Information Quality perspective, the inventory and classification of Information


Assets starts with the question “What are the things we need to know about to run the
Business?” From there you can drill into identifying where your Customer data resides in the
organisation (is it one system or multiple systems), where your Product information is
created, stored and who can access it etc.
It could be said that the deliverable of this type of Inventory would be to answer the Row
1/Column 1 requirements of the Zachman Framework and provide key inputs for answers to
some of the other Row and Column intersections.

From an IT Security perspective, the objective of conducting the inventory of Information


Assets is to allow you to identify and prioritise what information needs to be protected and
where. Once you understand where the information is and how it could be accessed or
uncontrolled, then you can assess the costs and risks of Information Security better.

From an Information Quality perspective, the same information can be used to identify which
information groups (e.g. „Customer Information‟, „Product Information‟, „Order-to-Cash
Process Information‟) your organisation is managing, where that information is held and
which information groups are likely to carry the greatest cost and risk of non-quality
information.

Human Resources Security Aspects and Access Control


Under ISO 27002:2005, there are a series of guidelines around the Information Security
aspects for employees joining the organisation, leaving the organisation or being moved
around within the organisation.

Ultimately, this raises Information Quality issues such as:


 Correct spelling of names or format of names
 Timeliness of Staff Number information (where that is required to issue logins etc)
 Timely notification of employee hires fires and promotions/transfers so that system
access rights can be created, amended or deleted as required.

From an Information Quality perspective, the Security expectation is a key Information


Consumer expectation that needs to be met with Human Resources information. Security
Officers in organisations need to know that when they elect to kill the access rights to
systems for employee “Daragh O Brien” on his departure that that employee doesn‟t also
have logins or remote access credentials under the names “Darragh O‟Brien”, “Dara
O‟Brien”, “Darach O‟Brien” or “Dara Ó Briain” (all of which are perfectly valid alternate
spellings of my name).

Likewise, employees are entitled to expect that their systems access rights will not be
curtailed because the HR department spelled their name incorrectly and it didn‟t match the
name associated with the system login. For example, if you have a team member called
Rachael (please note the spelling). You had submitted system access requests using the
correct spelling of her name. Would it impact your team‟s productivity her access to a key
system required for her job was curtailed because HR had misspelled her name as “Rachel”
and as such there was no „match‟ on a straight character for character clash between the
particular system access lists and the HR „Active employees‟ list? Would it be particularly
irksome if it transpired that Rachael had been trying to get the spelling of her name corrected
on the HR system but it had not been actioned?

By ensuring appropriate controls on the quality of Information in HR processes, security of


information can be assured in a manner that reduces the impacts of errors on employee
productivity.
Compliance
ISO 27002:2005 contains some best practice guidelines for compliance with other regulations
etc. As already identified, Compliance is a key driver for the renewed interest in Information
Quality amongst organisations. Whether it is a need to comply with the “Accuracy”
requirements of European Data Protection regulations, or with Sarbanes-Oxley or Basel II, as
we have already discussed there is a clear role for quality management of Information in
achieving Compliance objectives.

Conclusion
There are clear overlaps and parallels between the drivers for Quality Information and the
practices necessary to meet the standards required by ISO 27002:2005, formerly known as
ISO 17799.

While some organisations may view their Information Security objectives as being distinct
from their Information Quality requirements, in reality there are sufficiently strong inter-
dependencies between the two sets of objectives to suggest that they are at worst parallel
programmes which could benefit from sharing tools, techniques and experiences. Application
of Information Quality Management principles and methodologies to ISO 27002:2005
compliance initiatives will improve the quality of the deliverables and will help to better
ensure and assure the security of your information. Likewise, approaching Information
Quality strategy with an understanding and awareness of the role of Information Security as a
stakeholder and potential ally will likewise benefit the execution of the Information Quality
strategy, not least because it will not appear to be yet another „fad‟ programme to distract
people from their „real‟ jobs.

COBIT Framework
The COBIT Framework (Control Objectives for Information and related Technology) is a set
of best practices for information technology management created by the Information Systems
Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). COBIT
provides managers, auditors, and IT users with a set of generally accepted measures,
indicators, processes and best practices to assist them in maximizing the benefits derived
through the use of information technology and developing appropriate IT governance and
control in a company.

The COBIT framework is built on four main strategic domains:

 Plan and Organise


 Acquire and Implement
 Delivery and Support
 Monitor and Evaluate

Within each of these domains there are a sub-set of high level control objectives to be
addressed. Each of these control objectives addresses a specific component of Information or
Information Technology management which need to be addressed in some form to ensure
adequate and effective control of Information and its related Technologies. These high level
control objectives are illustrated below.
Table 1: COBIT Framework High Level Control Objectives
Plan & Organise
PO1 Define a Strategic IT Plan and direction
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organisation and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects

Acquire and Implement


AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes

Delivery & Support


DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations

Monitor & Evaluate


ME1 Monitor and Evaluate (IT) Processes
ME2 Monitor and Evaluate Internal Control
ME3 Ensure Regulatory Compliance
ME4 Provide IT Governance

Much like ISO 27002:2005, the COBIT Framework is not a standard per se but is a defined
set of recommended best practices to achieve high standards in the control and operation of
Information and Information Technology. Also, COBIT and ISO 27002:2005 are not
incompatible; rather they are complementary Best Practice frameworks, with the ISO
standard focussing on the specific challenges of securing information, which relates directly
to the COBIT DS5 objectives (Ensure System Security).
The Information Quality Perspective

From the perspective of Information Quality, it is interesting to note that within the name of
the framework there is a clear distinction between Information (the „asset‟ being managed)
and “related Technology” (the tools used to manage the Asset). A number of commentators
have highlighted that, while COBIT only explicitly mentions information quality as one item
in the midst of a number of Data Management recommendations published with the
Framework, the implication is that if you do not address data quality then you will not
achieve your control objectives. In the words of Cass Brewer of the ITCi:

“CobiT’s pert reference to data quality at level 0 in its maturity model essentially says that
without data quality you’re nowhere, whatever your other data management controls.”1

Looking at the various control objectives within COBIT, it is clear that a number of them are
dependent on good quality information (or at least an understanding of the poor quality of
your information) in order for your organisation to achieve them. I have selected some of the
High Level Control objectives and have mapped the Information Quality component of each
of them in Table 2 below. This mapping is not exhaustive and further correlations can be
found between the COBIT Framework and Information Quality Management.

Table 2: Example mapping of COBIT Control objectives to Information Quality


Control Information Quality Component
Objective
PO8 This is self-explanatory. In order to manage the quality of your IT processes you need
(Manage Quality) to manage the quality of the information that is consumed and produced by those
processes.
PO10 As we have already seen from our discussion of the failure rates of Data Migrations,
(Manage understanding the level of information quality in your organisation and actively
Projects) planning how to manage the Project (and operational) risks associated with it is a key
challenge for most organisations.
AI1 Automation of a process which is either accepting or creating poor quality
(Identify information will result either in a breakdown of the automated solution or a backlog
Automated of exceptions which will need to be manually addressed.
Solutions)
Understanding the levels of Information Quality and the root causes of non-quality
allows for better implementation of appropriate automated solutions.
DS11 In managing Data it is appropriate to manage the quality of that data.
(Manage Data)
ME3 In order to ensure Regulatory Compliance, in many cases organisations will produce
(Ensure compliance reports and reporting on the operation of controls that seek to identify
Regulatory defects in their information that might give rise to a Regulatory breach (e.g.
Compliance) customers being billed for services they do not have). Organisations that understand
this to be a form of Information Quality monitoring often move to proactive
prevention of Regulatory breach as opposed to reactive „scrap and rework‟.

Conclusion
While the COBIT framework does not expressly mandate the management of Information
Quality, the reality is that to achieve many of the High Level Control Objective set out by the

1
Brewer, Cass, Dissociative Disorder: Compliance, Data Quality, and Cognitive Dissonance,
http://www.tdwi.org/Publications/display.aspx?id=8125, 2007/09/29, last accessed 2007/12/29 @13:46 GMT.
Framework, organisations do need to address their management of the quality of their
information.

As we will see when we look at some of the methodologies for Information Quality
Management, there are also overlaps between many of the Control objectives and key steps
that are recommended by some „gurus‟ to develop a robust Information Quality Management
capability in your organisation.

Emerging ISO Standards for Information Quality


The ISO has commenced work on a new standards set for Information/Data Quality under the
auspices of the ISO/TC184/SC4 Standards Committee. This committee has authorized the
WG13 (Working Group 13) that is developing these standards. Currently the draft standard is
ISO 8000, a standard for industrial data quality. The IAIDQ (International Association for
Information & Data Quality), the leading professional organisation for Information Quality
Practitioners, is a Category A Liaison to the ISO/TC184/SC4 committee.

Work is continuing on this standard and readers should check the ISO website (www.iso.org)
for further information.

Conclusion
Many of the standards selected for discussion in this paper are primarily IT focussed.
However, this should not be taken to mean that Information Quality is an IT issue. This is far
from the case. Indeed, one of the leading thought leaders in the field Tom Redman has this
advice for IT professionals tasked with improving Information Quality:

“If you are in IT and you are tasked with fixing data quality in your organisation, get out. Get
out of IT and go to work in the Business because that is where you can make the necessary
changes.”2

What this highlights is that for the Enterprise, the organisation as a whole, to achieve its
objectives of Compliance through the pursuit of various standards or frameworks then
Business and IT need to work together to address the issues raised by poor quality
Information and poor Information Quality Management. This requires more than just
recognition within the Information Technology strategic plan that Information Quality is an
important element of achieving these high standards and high level Control objectives. It
requires an acceptance within the Business that to achieve these improvements they must lead
the change.

While there are a number of different standards frameworks and objects that might be met,
ultimately there is a common „foundation‟ that links them and that is the need to ensure good
quality information in the operation of Business (and IT) processes.

2
Response given in answer to a question about the ability of IT to lead Information Quality change at the 2007
IDQ Conference in Las Vegas.
Figure 1: Information Quality as a key Foundation discipline

Organisations that recognise the significant foundational role of good quality Information in
the context of other Best Practice frameworks or regulatory requirements that they are
seeking to meet will inevitably achieve improved synergy between the requirements of each
standard and framework. Furthermore, compliance with these frameworks and standards will
be seen as a value-adding function as the quality of information in the organisation improves,
reducing costs associated with process failure, rework and compliance risks, and improving
profitability in the organisation.

You might also like